using gpg keys with tls
David Shaw
dshaw@jabberwocky.com
Thu Apr 3 07:08:02 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, Apr 02, 2003 at 11:08:39PM -0500, Joel N. Weber II wrote:
> It appears to be the case that the correct way to implement support
> for OpenPGP keys in a TLS implmentation is as follows, ignoring for
> the moment the possibility of client certificates:
>
> 1) The server does gpg --export on the key it wants to use, and sends
> that data as the certificate in the TLS protocol.
>
> 2) The client and server do some extra handshaking to acknowlege the
> possibility of using OpenPGP keys.
>
> 3) The server does some magic to get the actual bits of the RSA or DSA
> private key, and feeds them into the TLS implementation, which then
> does the same thing it would have done if it had gotten the private
> key that corresponds to an X.509 certificate.
>
> What's not obvious to me is the correct way to get the bits from the
> GPG for step 3. Can someone tell me?
Well, RFC-2440 has the details on getting the bits. BUT: there were a
number of drafts giving all the fiddly details of using OpenPGP keys
in TLS. You might have to do some digging to track them down since I
believe most are expired now. FWIW, PGP supports this as well, but I
don't know the exact details of how they implemented it, or whether it
is compatible with the drafts I mentioned.
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2rc1 (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc
iD8DBQE+i8G64mZch0nhy8kRAoruAKDRrYRzLhdoH6vHYUixwryhmjBecwCgoJt0
qRphbK6YfJc//0ujrTsEpBE=
=KCHO
-----END PGP SIGNATURE-----