making the X.509 infrastructure available for OpenPGP

Hauke Laging mailinglisten at hauke-laging.de
Thu Feb 6 03:56:26 CET 2014


Am Mi 05.02.2014, 00:03:23 schrieb Daniel Kahn Gillmor:

> > Why wouldn't the fingerprint and the DN not be enough? The whole
> > approach is based on the assumption that the X.509 certificate is
> > already available.
> 
> if the X.509 certificate is already available, nothing else needs to
> be done.

That is correct but this argument doesn't make sense in the context of 
my proposal: You have to look for the X.509 certificate in the root CA 
store anyway because being part of the root CA pool is the core of my 
proposal.


> > Using a different key would not make sense.
> 
> why not?  many of the main cartel CAs routinely set up special keys
> for sub-CAs whose job is to make certain kinds of certifications. 
> Perhaps such a sub-CA could be made for issuing OpenPGP
> certifications?

Using a different key for an intermediate CA would not be a problem at 
all. Just the root certificate (which is pre-installed) must be the 
same.


Hauke
-- 
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140206/3b6d6fbc/attachment-0001.sig>


More information about the Gnupg-users mailing list