making the X.509 infrastructure available for OpenPGP
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Feb 5 06:03:23 CET 2014
On 02/04/2014 12:36 PM, Hauke Laging wrote:
>> I don't know of a formalized way to do the other mapping, but it seems
>> like it would be pretty straightforward to embed the full X.509
>> certificate in a notation packet
> Why wouldn't the fingerprint and the DN not be enough? The whole
> approach is based on the assumption that the X.509 certificate is
> already available.
if the X.509 certificate is already available, nothing else needs to be
done. you can compare the MPIs for the public key directly.
> Using a different key would not make sense.
why not? many of the main cartel CAs routinely set up special keys for
sub-CAs whose job is to make certain kinds of certifications. Perhaps
such a sub-CA could be made for issuing OpenPGP certifications?
> That's my opinion, too. And exactly that can be taken over to OpenPGP.
> Integrated deployment is already there, we just need the technical
> bridge from X.509 to OpenPGP. And afterwards the OpenPGP certifications
> by the CAs, of course.
I'd love to see it the other way around, actually (though maybe i'm
misunderstanding you again) -- It would be great to use S/MIME as the
message transport and encapsulation, but use OpenPGP for the certificate
model. This takes advantage of all the existing message parsing and
packaging in any existing S/MIME client, and reduces OpenPGP support to
a key management and certificate validation plugin.
To do this, i'd likely want to add a pair of S/MIME-specific subkeys to
my OpenPGP certificate (one for encryption, one for signing), so that i
can avoid re-using key material across different cryptographic messaging
schemes (i.e. not use the same signing key for both OpenPGP messages and
Werner recently (in message ID 87zjmv127f.fsf at vigenere.g10code.de)
indicated his acceptance of a notation named extended-usage at gnupg.org
with a value that can be set to "bitcoin". Maybe the same notation
could be used to indicate "s/mime-sign" or "s/mime-encrypt" for these
sorts of keys?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1010 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users