Questions about OpenPGP best practices
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Feb 26 08:50:40 CET 2013
On 02/25/2013 11:28 PM, Doug Barton wrote:
> lots, this one for example:
>
> https://help.ubuntu.com/community/GnuTLS
hmm, i don't use ubuntu myself, but i believe that documentation is
wrong, particularly this section:
https://help.ubuntu.com/community/GnuTLS#Deploying_the_Certificates
That page also seems to loosely imply that secret keys and X.509
certificates generated by one implementation (GnuTLS's certtool) won't
be interoperable with other implementations (e.g. OpenSSL).
I don't think this is the case, and if it is, i would hope it would be
reported as a bug.
this is pretty off-topic for gnupg-users now, but it would be great if
someone who uses ubuntu would fix that page.
> So it sounds like what you're saying is that there is no hope for a
> system-wide solution for hkps?
No, there are multiple system-wide solutions. In the long term, for
traditional X.509 certificate verification, curl-gnutls will hopefully
be linked against libgnutls28, which will use its system root CAs by
default.
in the nearer term, you could also use msva-perl with hkpms (if you want
to verify remote hosts via the OpenPGP web of trust).
and you can also modify /usr/share/gnupg/options.skel to change the
default options for new accounts (though i think this won't have an
effect on any existing GnuPG homedirs).
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130225/e4fda01b/attachment.pgp>
More information about the Gnupg-users
mailing list