Delete key from keyserver
bob.henson at galen.org.uk
Sun Oct 23 11:06:02 CEST 2005
zvrba at globalnet.hr wrote:
>> If you want a formalised external method of identity verification, consider
>> using x.509 and people like Thawte will provide an alternative to GnuPG's
>> personal (face-to-face) methods.
> Actually, at one point in time I did think about getting myself a "real"
> X.509 certificate and use it as "my own CA" certificate by which I sign
> my other ad-hoce keys as I see fit. The thing I don't like about commercial
> X.509 certificates is their short lifetime. It's a pure ripoff and no-work
> money generator for the CA, after you get your 1st certificate.
You don't have to pay for X.509 certificates, not for personal use any way.
Thawtes issue free personal certificates, and so do CAcert.
The latter publish their Root Authority PGP key on their website, which you
can import to your keyring and use as a partial "bridge" across the two
types of verification. For example, with their PGP key on my keyring, if I
sign (locally, I cannot credit it with sufficient trust to sign with an
exportable signature, since I cannot meet with them and fully verify it)
their key it assigns a degree of trust to John W Moore III's key, since his
key has been signed by their key already. One of my keys has been signed by
Thawtes (they don't do this any more - I guess for commercial reasons) so
there is a partial bridge there to another system. However, the only key on
my keyring which is fully trusted is Neil's, since we have met up and
correctly verified our keys.
> I have yet to play a bit with gpgsm and see how well can you mix PGP and
> X.509 keys. I.e. can I use my X.509 cert to sign other people OpenPGP keys?
> Can I at least re-use the X.509 private key for my own OpenPGP key?
I haven't used gpgsm, but I have fully functional X.509 key pairs on my key
ring and can sign OpenPGP keys with them. If you have a running copy of PGP
on your system you can import X.509 certificates to PGP and then export them
as armoured ASCII files, which you can then import straight into OpenPGP.
BTW, do you live anywhere near Pula? If so, and you can wait for another
year till I make my annual visit to my friends there, we might be able to
solve part of your problem with not being able to meet people to countersign
any keys. The downside is, I haven't got many signatures on mine either, so
it's no big deal :-(
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 254 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20051023/7bb119ee/signature.pgp
More information about the Gnupg-users