This is how the scheme works in practice.
Private Key Example Alice uses a key generation tool to generate a public keypair. The public parameters in hexadecimal are: Modulus : a4 11 df 43 4a 6b a1 3e 29 78 5e 65 3c 3e 77 71 78 e5 be bf 1e aa cd 4b 07 94 78 05 c6 c8 06 52 a6 32 ce 8d 31 88 43 f5 78 b4 17 03 99 b1 1b a4 fc e9 82 ec d7 10 f2 56 f4 dc b8 0e e4 d2 e9 e8 ad 90 41 e6 9a 65 ad 97 c3 a6 f4 49 51 b2 cb 98 4c d9 19 ba b4 b6 06 7c 87 79 3f 30 01 fa 1d d9 5c ad 94 f6 5e 09 2d 32 5f 1d f7 ce d2 f5 d1 68 05 c6 95 2b 9a c3 f5 f4 8a f2 a1 a6 9d 7a de 93 Exponent : 01 00 01 The Key Identifier is calculated using SHA512 and truncated to 224 bits to produce the Key Identifier value. The Key Identifier in Base32 encoding is: KeyIdentifier: ABAFYA-ATQBAB-UAG4VXA-MMACY7-4AMIAB4-NWALTA-GSHYAK-5AA An email sender may send email to Alice through a compliant gateway as follows: [email protected] Send email to Alice using encryption if and only if an encryption key for Alice can be found and Alice has published the email encryption policy 'encryption preferred' or stronger. ? [email protected] Send email to Alice using encryption if and only if an encryption key for Alice can be found, otherwise report an error. ABAFYA-ATQBAB-UAG4VXA-MMACY7-4AMIAB4-NWALTA-GSHYAK-5AA?al...@example.com Send email to Alice using encryption if and only if an encryption key for Alice can be found that is directly endorsed under the specified key, otherwise report an error. ABAFYA-ATQBAB-UAG4VXA-MMACY7-4AMIAB4-NWALTA-GSHYAK-5AA?? [email protected] Send email to Alice using encryption if and only if an encryption key for Alice can be found that is (directly or indierectly) endorsed under the specified key, otherwise report an error. The key identifiers are 224 bits long plus an 8 bit prefix to specify the algorithm. It might well be desirable to trim them back to 160 bits but certainly no less than 128 bits. Here is 160 bits: [email protected] Here is 128 bits: [email protected] The 128 bit key identifier might be strong enough for a personal key identifier since the difficulty of finding a key that would match by brute force would be 128 bits. For an organizational key, there is a risk of the key being formed maliciously so as to evade transparency requirements and so the longer identifier is 'probably' necessary. -- Website: http://hallambaker.com/
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
