making the X.509 infrastructure available for OpenPGP

Hauke Laging mailinglisten at
Tue Feb 4 04:55:56 CET 2014


I would like to say first that my X.509 understanding is orders of 
magnitude lower that that of OpenPGP. So I hope this makes sense to 

This idea came to my mind while I was wondering why several CAs offer 
free (but rather useless...) certificates for X.509 but not for OpenPGP. 
Whatever they do with X.509 can be done with OpenPGP, too (e.g. setting 
an expiration date for the signature). How much effort can it be to 
offer both?

Then I realized that they could do that but that a CA signature for an 
OpenPGP certificate is rather useless in today's situation: Most of the 
value of an X.509 certification is the pre-installed root CA pool. A 
certification by a non-pre-installed CA is typically less useful than an 
OpenPGP certification.

Now my point: Keys can be converted from one format to the other. The 
fingerprint changes but obviously the keygrip doesn't. I believe it 
would make a lot of sense to create a connection between gpg and gpgsm 
and point gpgsm to the OS's and / or browser's root certificate pool. 
Then a CA could offer its certificate in OpenPGP format (even conforming 
to some new "standard" which makes it easier to detect this special kind 
of certificate e.g. by using a comment or signature notation pointing to 
the related X.509 certificate), and GnuPG could easily realize that it 
is the same key. This would relieve the user from the hard decision 
whether a certificate is valid (the CAs OpenPGP certificate in this 
case). The user would just have to decide (like with any other OpenPGP 
certificate) whether he wants to trust this CA (and how much).

By doing so the pre-installed CA pool would become valuable for OpenPGP, 
too, and it would make sense for the CAs to offer certifications for 
OpenPGP certificates, too.

Maybe there are other reasons for some CAs, too. But I assume this would 
be rather little effort and could close much of the gap to S/MIME's 

Crypto für alle:
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140204/9ef2782d/attachment.sig>

More information about the Gnupg-users mailing list