making the X.509 infrastructure available for OpenPGP

Mark H. Wood mwood at IUPUI.Edu
Tue Feb 4 15:01:12 CET 2014

On Tue, Feb 04, 2014 at 04:55:56AM +0100, Hauke Laging wrote:
> Now my point: Keys can be converted from one format to the other. The 
> fingerprint changes but obviously the keygrip doesn't. I believe it 
> would make a lot of sense to create a connection between gpg and gpgsm 
> and point gpgsm to the OS's and / or browser's root certificate pool. 
> Then a CA could offer its certificate in OpenPGP format (even conforming 
> to some new "standard" which makes it easier to detect this special kind 
> of certificate e.g. by using a comment or signature notation pointing to 
> the related X.509 certificate), and GnuPG could easily realize that it 
> is the same key. This would relieve the user from the hard decision 
> whether a certificate is valid (the CAs OpenPGP certificate in this 
> case). The user would just have to decide (like with any other OpenPGP 
> certificate) whether he wants to trust this CA (and how much).
> By doing so the pre-installed CA pool would become valuable for OpenPGP, 
> too, and it would make sense for the CAs to offer certifications for 
> OpenPGP certificates, too.

Assuming you trust those CAs.  All of them.

Having said that, you might look at how OpenSSH has included X.509
certificates in its operation.  There is precedent for something like
what you suggest.

Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
Machines should not be friendly.  Machines should be obedient.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: </pipermail/attachments/20140204/8fa11bc5/attachment.sig>

More information about the Gnupg-users mailing list