Questions about OpenPGP best practices

Daniel Kahn Gillmor dkg at
Tue Feb 26 08:50:40 CET 2013

On 02/25/2013 11:28 PM, Doug Barton wrote:
> lots, this one for example:

hmm, i don't use ubuntu myself, but i believe that documentation is
wrong, particularly this section:

That page also seems to loosely imply that secret keys and X.509
certificates generated by one implementation (GnuTLS's certtool) won't
be interoperable with other implementations (e.g. OpenSSL).

I don't think this is the case, and if it is, i would hope it would be
reported as a bug.

this is pretty off-topic for gnupg-users now, but it would be great if
someone who uses ubuntu would fix that page.

> So it sounds like what you're saying is that there is no hope for a
> system-wide solution for hkps?

No, there are multiple system-wide solutions.  In the long term, for
traditional X.509 certificate verification, curl-gnutls will hopefully
be linked against libgnutls28, which will use its system root CAs by

in the nearer term, you could also use msva-perl with hkpms (if you want
to verify remote hosts via the OpenPGP web of trust).

and you can also modify /usr/share/gnupg/options.skel to change the
default options for new accounts (though i think this won't have an
effect on any existing GnuPG homedirs).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130225/e4fda01b/attachment.pgp>

More information about the Gnupg-users mailing list