Conversion between X509 certificates and gpg keys

Florian Weimer
Fri Feb 23 09:44:00 2001

Johan Wevers <> writes:

> Florian Weimer wrote:
> >> I'm asking because I would like to know if gpg keys can be uniquely
> >> converted to them and vice versa.
> > Yes, that's possible. However, due to the nature of this process,
> > signatures on key material are not preserved which makes such
> > conversions pretty meaningless.
> Not necessarily. If a conversion program can also show if a X509 cert and a
> gpg key have the same data the person who signed the original gpg key can be
> rather certain he can safely sign the X509 in the knowledge that it belongs
> to the same person than the gpg key.
In this scenario, there is no need for a conversion: you can sign your X.509 key with OpenPGP and that's it. Of course, no automatic processing is possible, but you won't get this with your approach either.
> It would IMO be an easy way to export an existing web of thrust to your
> certificate, thus avoiding the need of not-so-much trusted third parties.
X.509 does not support arbitrary graphs, only forests consisting of a limited number of trees, so a conversion loses information. On the other hand, I have quite a lot of doubts regarding some X.509 implementations (for instance, at least one grants *all* rights/applications to a certificate if it doesn't limit its rights itself; this can hardly be considered security practice). I wouldn't want to work on my private key material with most of them.