making the X.509 infrastructure available for OpenPGP

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Feb 5 19:22:16 CET 2014


On 02/05/2014 01:04 PM, Peter Lebbing wrote:
> So you could create a hybrid model:
> 
> I assign trust to a specific CA. That CA has issued a certificate with DN "XYZ".
> In my public OpenPGP keyring, there exists a key with a UID "XYZ", and that
> public key has the same raw key material as the certificate. A key manager that
> manages both types of keys can now in fact infer that UID "XYZ" is validated by
> that CA.
> 
> This approach doesn't change anything about the format of certificates in either
> X.509 or OpenPGP, it simply matches raw key material and DN's to UID's, and
> infers a measure of validity from it. Since OpenPGP UID's are usually not in the
> same format as DN's, people need to explicitly create such a UID to support this
> kind of validity inference. For a better user experience, it might be useful if
> frontends could work with the DN format, so such a UID is considered when
> matching on an e-mail address.

If you're interested in this sort of hybrid approach, please take a look
at the monkeysphere validation agent's msva-perl git repository, which
contains a perl script "openpgp2x509" :

 git://git.monkeysphere.info/msva-perl

I also have rather half-baked code called "2ca" that operates a
minimalist "dual-stack" certificate authority which creates certificates
in both OpenPGP and X.509 forms.  In particular, it takes an OpenPGP
certificate, certifies selected User IDs on it, and then produces an
X.509 certificate derived from the relevant key (or subkey) based on the
User ID and key usage flags:

 git://lair.fifthhorseman.net/~dkg/2ca

I'd welcome patches or suggestions or fixes.  Please don't try to deploy
this in any sort of production environment without understanding it
fully and thinking it through.

If you want to follow up in detail about these projects, and if Werner
feels it's off-topic for this list, followup on the Monkeysphere
development list would be fine:

 Monkeysphere Developers <monkeysphere at lists.riseup.net>

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140205/20f42e3e/attachment.sig>


More information about the Gnupg-users mailing list