On Thu, Jun 11, 2020 at 03:33:37PM -0400, Michael Lazar wrote: > I am storing them in the database as base64-encoded strings. But it would not > be hard to convert between the two text formats as long as the fingerprint > bytes are the same. What we're discussing here (to my knowledge) is two > different text representations of the same SHA256 digest of the public x509 > certificate DER [0][1]. That's the standard way to do certificate > fingerprinting from what I can tell. Ah, right, if everybody is already using SHA256 then, yes, we can stick to that and the different serialisations are convertible. And I don't see any reason not too. From what I can tell there (somewhat surprisingly) really isn't a standard notion of certificate fingerprinting, but SHA1 and SHA256 seem to be the most commonly used by web browsers. I will express a moderate preference for the "hexadecimal with colons between bytes" notation. It takes up more space than base64, but as a pubnix admin I have people mailing me ssh public keys all the time. Sometimes they attach them, and I'm happy, but other times they just paste 'em right into the email and either their mail client splits the key over several lines and I have to join them back together, or they are sent as one long line and then mutt wraps them on my end and inserts +s or =s or somesuch where it wraps, which blend right in with the actual key content. It's a fiddly thing. The hexadecimal colon format is way easier to work with via eyeball. Cheers, Solderpunk
---
Previous in thread (34 of 52): 🗣️ Sean Conner (sean (a) conman.org)
Next in thread (36 of 52): 🗣️ Sean Conner (sean (a) conman.org)