Conversion between X509 certificates and gpg keys

[Florian Weimer]

Johan Wevers <johanw@vulcan.xs4all.nl> writes:

> Florian Weimer wrote:
> 
> >> I'm asking because I would like to know if gpg keys can be uniquely
> >> converted to them and vice versa.
> 
> > Yes, that's possible.  However, due to the nature of this process,
> > signatures on key material are not preserved which makes such
> > conversions pretty meaningless.
> 
> Not necessarily. If a conversion program can also show if a X509 cert and a
> gpg key have the same data the person who signed the original gpg key can be
> rather certain he can safely sign the X509 in the knowledge that it belongs
> to the same person than the gpg key.

In this scenario, there is no need for a conversion: you can sign
your X.509 key with OpenPGP and that's it.  Of course, no automatic
processing is possible, but you won't get this with your approach
either.

> It would IMO be an easy way to export an existing web of thrust to your
> certificate, thus avoiding the need of not-so-much trusted third parties.

X.509 does not support arbitrary graphs, only forests consisting of a
limited number of trees, so a conversion loses information.

On the other hand, I have quite a lot of doubts regarding some X.509
implementations (for instance, at least one grants *all*
rights/applications to a certificate if it doesn't limit its rights
itself; this can hardly be considered security practice).  I wouldn't
want to work on my private key material with most of them.