making the X.509 infrastructure available for OpenPGP
Hauke Laging
mailinglisten at hauke-laging.de
Tue Feb 4 04:55:56 CET 2014
Hello,
I would like to say first that my X.509 understanding is orders of
magnitude lower that that of OpenPGP. So I hope this makes sense to
you...
This idea came to my mind while I was wondering why several CAs offer
free (but rather useless...) certificates for X.509 but not for OpenPGP.
Whatever they do with X.509 can be done with OpenPGP, too (e.g. setting
an expiration date for the signature). How much effort can it be to
offer both?
Then I realized that they could do that but that a CA signature for an
OpenPGP certificate is rather useless in today's situation: Most of the
value of an X.509 certification is the pre-installed root CA pool. A
certification by a non-pre-installed CA is typically less useful than an
OpenPGP certification.
Now my point: Keys can be converted from one format to the other. The
fingerprint changes but obviously the keygrip doesn't. I believe it
would make a lot of sense to create a connection between gpg and gpgsm
and point gpgsm to the OS's and / or browser's root certificate pool.
Then a CA could offer its certificate in OpenPGP format (even conforming
to some new "standard" which makes it easier to detect this special kind
of certificate e.g. by using a comment or signature notation pointing to
the related X.509 certificate), and GnuPG could easily realize that it
is the same key. This would relieve the user from the hard decision
whether a certificate is valid (the CAs OpenPGP certificate in this
case). The user would just have to decide (like with any other OpenPGP
certificate) whether he wants to trust this CA (and how much).
By doing so the pre-installed CA pool would become valuable for OpenPGP,
too, and it would make sense for the CAs to offer certifications for
OpenPGP certificates, too.
Maybe there are other reasons for some CAs, too. But I assume this would
be rather little effort and could close much of the gap to S/MIME's
convenience.
Hauke
--
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140204/9ef2782d/attachment.sig>
More information about the Gnupg-users
mailing list