Conversion between X509 certificates and gpg keys
Fri Feb 23 09:44:00 2001
Johan Wevers <firstname.lastname@example.org> writes:
> Florian Weimer wrote:
> >> I'm asking because I would like to know if gpg keys can be uniquely
> >> converted to them and vice versa.
> > Yes, that's possible. However, due to the nature of this process,
> > signatures on key material are not preserved which makes such
> > conversions pretty meaningless.
> Not necessarily. If a conversion program can also show if a X509 cert and a
> gpg key have the same data the person who signed the original gpg key can be
> rather certain he can safely sign the X509 in the knowledge that it belongs
> to the same person than the gpg key.
In this scenario, there is no need for a conversion: you can sign
your X.509 key with OpenPGP and that's it. Of course, no automatic
processing is possible, but you won't get this with your approach
> It would IMO be an easy way to export an existing web of thrust to your
> certificate, thus avoiding the need of not-so-much trusted third parties.
X.509 does not support arbitrary graphs, only forests consisting of a
limited number of trees, so a conversion loses information.
On the other hand, I have quite a lot of doubts regarding some X.509
implementations (for instance, at least one grants *all*
rights/applications to a certificate if it doesn't limit its rights
itself; this can hardly be considered security practice). I wouldn't
want to work on my private key material with most of them.