making the X.509 infrastructure available for OpenPGP

Hauke Laging mailinglisten at
Thu Feb 6 03:56:26 CET 2014

Am Mi 05.02.2014, 00:03:23 schrieb Daniel Kahn Gillmor:

> > Why wouldn't the fingerprint and the DN not be enough? The whole
> > approach is based on the assumption that the X.509 certificate is
> > already available.
> if the X.509 certificate is already available, nothing else needs to
> be done.

That is correct but this argument doesn't make sense in the context of 
my proposal: You have to look for the X.509 certificate in the root CA 
store anyway because being part of the root CA pool is the core of my 

> > Using a different key would not make sense.
> why not?  many of the main cartel CAs routinely set up special keys
> for sub-CAs whose job is to make certain kinds of certifications. 
> Perhaps such a sub-CA could be made for issuing OpenPGP
> certifications?

Using a different key for an intermediate CA would not be a problem at 
all. Just the root certificate (which is pre-installed) must be the 

Crypto für alle:
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140206/3b6d6fbc/attachment-0001.sig>

More information about the Gnupg-users mailing list