advice please (just about the same over here)

stebe at mailbox.org stebe at mailbox.org
Tue Dec 29 15:05:35 CET 2015


> Bob Henson <bob.henson at galen.org.uk> hat am 29. Dezember 2015 um 10:07
> geschrieben:
> 
> 
> On 28/12/2015 10:22 pm, Jay Sulzberger wrote:
> > 
> > On Mon, 28 Dec 2015, Steve Butler <sbutler at fchn.com> wrote:
> > 

> If, as you imply above, you are looking for a more universal system of
> encryption, then PGP/OpenPGP certainly isn't the one to use - it is
> intended to be a "person to person" system used between people known to
> one another and whose keys can be countersigned with absolute certainty.
> There is already a system, albeit far from perfect, which lends itself
> to large scale use and that is the X.509 certificate system - already
> widely used.
> 
(Sorry for appending a slightly off-topic question to this thread, well, I
really like the person-to person design of gpg and the WebofTrust, and the
enigmail extension makes it quite easy to get along, the Enigmail handbook
is written in a clear and concise manner suited for beginners as well as
for more technical users...whenever you need a free German translation,
knock on my door!)

By the way, talking about the X509 certificate system, which is the exact
command line syntax to verify (using openssl, I guess) a given
certificate's signature by using the public key of the certificate that
has issued the certificate to be verified? 
openssl verify pkeyutl (and what else? "sigfile=file" AND "pkey" as a file
or STDIN?)
The certificate to be validated (as presented in the TLS handshake) is not
present as a file, just as a data stream captured with a specialized tool,
and in the signature field I cannot see a signature, just the algorithm
used, or maybe I am blind?) whereas the OCSP response details a long
signature preceded by the word "signature:". The public key I have to use
is already in the browser's certificate, but how do I get it all down to
command line syntax?

Any help appreciated.

Cheers,

Stephan



More information about the Gnupg-users mailing list