OpenPGP Card

Zeljko Vrba zvrba at globalnet.hr
Tue Sep 6 15:56:22 CEST 2005


Joe Smith wrote:
>
> For example, your CA can revoke your key leaving you with one key that
> is invalid X.509, but valid OpenPGP? Yuck!
>
Using the X.509 cert and OpenPGP public key (having the same private
key) could be useful in the following scenario:

1. You must periodically pay to your CA to renew your certificate
2. OpenPGP trust model isn't as 'strong' as X.509 (i.e. there aren't
many trusted introducers)

So, you pay ONCE to some CA to issue you short-lived, widely-trusted
certificate. It will expire after a year or so, but.. you can continue
to use your OpenPGP key as long as you deem it's OK.

The point is that your _identity_ doesn't change when the X.509 cert
expires.

So, continuing to use the X.509 (expired) private key solves problem 1.
Having X.509 cert in the first place, solves problem 2.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20050906/1e5b0a68/signature.pgp


More information about the Gnupg-devel mailing list