making the X.509 infrastructure available for OpenPGP

Peter Lebbing peter at
Wed Feb 5 19:04:04 CET 2014

On 05/02/14 11:23, Werner Koch wrote:
> In general it does not make sense to use the same key - there is no 
> advantage.

I could think of /a/ reason to do it. You could leverage existing X.509
certifications by CAs to verify key validity in the OpenPGP world.

An X.509 certification obviously certifies that a certain X.509 certificate
belongs to the person or role identified by the Distinguished Name. But seen a
bit differently, it certifies that that Distinguished Name has control over the
key that is in the certificate.

If that same key is used as an OpenPGP key, it follows that that same
Distinguished Name has control over that key.

So you could create a hybrid model:

I assign trust to a specific CA. That CA has issued a certificate with DN "XYZ".
In my public OpenPGP keyring, there exists a key with a UID "XYZ", and that
public key has the same raw key material as the certificate. A key manager that
manages both types of keys can now in fact infer that UID "XYZ" is validated by
that CA.

This approach doesn't change anything about the format of certificates in either
X.509 or OpenPGP, it simply matches raw key material and DN's to UID's, and
infers a measure of validity from it. Since OpenPGP UID's are usually not in the
same format as DN's, people need to explicitly create such a UID to support this
kind of validity inference. For a better user experience, it might be useful if
frontends could work with the DN format, so such a UID is considered when
matching on an e-mail address.


I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list