PUBKEY_USAGE_AUTH
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Aug 20 20:37:29 CEST 2013
On 08/13/2013 12:03 PM, Werner Koch wrote:
> On Wed, 3 Jul 2013 04:10, gniibe at fsij.org said:
>> Does it make sense to add an option like --auth to enable using
>> authkey for --sign or --clearsign? Or some flag to enable
>> gpgme_op_sign using authkey?
>
> OpenPGP only says
>
> 0x20 - This key may be used for authentication.
>
> Thus, if an OpenPGP signature is part of an authentication system, it
> makes sense to allow the use of such a key.
>
> Anyone with ideas for the best way to tell gpg about this. Shall gpg
> only select authkeys then? In terms of GPGME integration an option to
> switch to (or allow the use of) authkeys would be the easiest way.
Note that some authentication schemes may require decryption instead of
signing by the keyholder. So whatever feature is added to gpg to
support auth-capable subkeys should probably apply symmetrically to both
signing and decryption.
as for how to indicate to gpg that the given action is taking place as
part of an authentication exchange, i'd be fine with a new
--authentication option (and --no-authentication, which would be the
default). Do you see any problems with that approach?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130820/4d10a3f9/attachment-0001.sig>
More information about the Gnupg-devel
mailing list