using gpg keys with tls

David Shaw dshaw at jabberwocky.com
Thu Apr 3 08:08:02 CEST 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Apr 02, 2003 at 11:08:39PM -0500, Joel N. Weber II wrote:

> It appears to be the case that the correct way to implement support
> for OpenPGP keys in a TLS implmentation is as follows, ignoring for
> the moment the possibility of client certificates:
> 
> 1) The server does gpg --export on the key it wants to use, and sends
>    that data as the certificate in the TLS protocol.
> 
> 2) The client and server do some extra handshaking to acknowlege the
>    possibility of using OpenPGP keys.
> 
> 3) The server does some magic to get the actual bits of the RSA or DSA
>    private key, and feeds them into the TLS implementation, which then
>    does the same thing it would have done if it had gotten the private
>    key that corresponds to an X.509 certificate.
> 
> What's not obvious to me is the correct way to get the bits from the
> GPG for step 3.  Can someone tell me?

Well, RFC-2440 has the details on getting the bits.  BUT: there were a
number of drafts giving all the fiddly details of using OpenPGP keys
in TLS.  You might have to do some digging to track them down since I
believe most are expired now.  FWIW, PGP supports this as well, but I
don't know the exact details of how they implemented it, or whether it
is compatible with the drafts I mentioned.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2rc1 (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc

iD8DBQE+i8G64mZch0nhy8kRAoruAKDRrYRzLhdoH6vHYUixwryhmjBecwCgoJt0
qRphbK6YfJc//0ujrTsEpBE=
=KCHO
-----END PGP SIGNATURE-----




More information about the Gnupg-devel mailing list