Only the encryption subkey fingerprint is used to KDF the KEK key.
Previously, the text said:
A variable-length field containing the fingerprint of the recipient encryption subkey or a primary key fingerprint identifying the key material that is needed for decryption.
I see two ways to read that:
-
you can either use the target encryption subkey's fingerprint or the certificate's fingerprint (that contains the target encryption subkey)
-
the target encryption key may either be a subkey or a primary key
Now, the first option seems rather unhelpful, because for the sender (and recipient) there are two possible wrapping keys, and indeed noone implements also trying the primary fingerprint: https://tests.sequoia-pgp.org/#ECDH_KDF_using_recipient_fingerprint
The second interpretation makes no sense either: primary keys must be signing-capable keys, and we don't have ECC keys that are both encryption- and signing-capable.
The text was copied from RFC6637 and slightly amended.
The change clarifies that the subkey fingerprint must be used.
Fixes #126 (closed).