using gpg with private keys from openssl certificates?
faramir.cl at gmail.com
Thu Dec 18 05:43:10 CET 2008
-----BEGIN PGP SIGNED MESSAGE-----
>>> * if I sign a message with that key pair, and someone challenges my
>>> identity, what's the best/easiest way for me to prove my identity?
> I don't need them to interoperate, I would just like to use the same key
> pair. WoT is fine but it would be nice to have a way to assert that [X = the
> person in possession of private key K_pr = me + anyone I'm stupid enough to
> share my private key with] is both trustable via Wot, *or* by trusting a
> certificate authority. "trustable" probably not the right word but I'm a bit
> shaky on the protocol vocabulary.
Well... I got a x.509 certificate from CAcert.org, with my name on it.
But also, I got CAcert's pgp signature on my pgp key... Also, if you
have a Thawte certificate with your name on it, you can use it to sign a
message containing your PGP public key, and some people would accept
that as a prove the key belongs to you (unless somebody has stolen you
email account, and your x.509 certificate).
Rather than using the same key pair with x.509 and PGP, I would
suggest to use your x.509 certificate as a "proof" of your identity, and
if people accept that as a valid proof, then they would sign your pgp
Take a look at www.gswot.org people there accepts CAcert and Thawte
certificates as valid ways to prove your identity, and can sign your key
to reflect that. Of course, that would only help you if the one
challenging your identity trusts GSWoT Introducers signatures...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Gnupg-users