using gpg keys with tls

David Shaw dshaw at
Thu Apr 3 08:08:02 CEST 2003

Hash: SHA1

On Wed, Apr 02, 2003 at 11:08:39PM -0500, Joel N. Weber II wrote:

> It appears to be the case that the correct way to implement support
> for OpenPGP keys in a TLS implmentation is as follows, ignoring for
> the moment the possibility of client certificates:
> 1) The server does gpg --export on the key it wants to use, and sends
>    that data as the certificate in the TLS protocol.
> 2) The client and server do some extra handshaking to acknowlege the
>    possibility of using OpenPGP keys.
> 3) The server does some magic to get the actual bits of the RSA or DSA
>    private key, and feeds them into the TLS implementation, which then
>    does the same thing it would have done if it had gotten the private
>    key that corresponds to an X.509 certificate.
> What's not obvious to me is the correct way to get the bits from the
> GPG for step 3.  Can someone tell me?

Well, RFC-2440 has the details on getting the bits.  BUT: there were a
number of drafts giving all the fiddly details of using OpenPGP keys
in TLS.  You might have to do some digging to track them down since I
believe most are expired now.  FWIW, PGP supports this as well, but I
don't know the exact details of how they implemented it, or whether it
is compatible with the drafts I mentioned.

Version: GnuPG v1.2.2rc1 (GNU/Linux)


More information about the Gnupg-devel mailing list