making the X.509 infrastructure available for OpenPGP
Hauke Laging
mailinglisten at hauke-laging.de
Thu Feb 6 03:56:26 CET 2014
Am Mi 05.02.2014, 00:03:23 schrieb Daniel Kahn Gillmor:
> > Why wouldn't the fingerprint and the DN not be enough? The whole
> > approach is based on the assumption that the X.509 certificate is
> > already available.
>
> if the X.509 certificate is already available, nothing else needs to
> be done.
That is correct but this argument doesn't make sense in the context of
my proposal: You have to look for the X.509 certificate in the root CA
store anyway because being part of the root CA pool is the core of my
proposal.
> > Using a different key would not make sense.
>
> why not? many of the main cartel CAs routinely set up special keys
> for sub-CAs whose job is to make certain kinds of certifications.
> Perhaps such a sub-CA could be made for issuing OpenPGP
> certifications?
Using a different key for an intermediate CA would not be a problem at
all. Just the root certificate (which is pre-installed) must be the
same.
Hauke
--
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140206/3b6d6fbc/attachment-0001.sig>
More information about the Gnupg-users
mailing list