How to join pubring.kbx and pubring.gpg?

Binarus lists at binarus.de
Fri Jun 16 10:27:19 CEST 2017


At first, I'd like to thank you for the great explanations.

On 14.06.2017 19:21, Juan Miguel Navarro Martínez wrote:

> As far as I know, GPGSM is a GPG tool to use X.509 certificates. That's
> not the OpenPGP protocol. With this said...

Here is where my worry begins. AFAIK, all PGP variants are using RSA key
pairs. A public X.509 certificate is just a container for such keys (and
possibly has information about the certificate chain). Given that, in my
naive world, it should be no problem to extract that public PGP key from
the certificate; the goal would be to gain the "pure" key which then
could be added to the traditional PGP (Enigmail / gpg4win) world.

Of course, any information regarding the certification chain would be
lost when doing so, but I really wouldn't care about that (I have
downloaded the certificate from the website of a very big well-known
company; the website is protected by TLS, and I have checked that there
was no man in the middle).

Unfortunately, I didn't find any hint on how to extract that key. It is
in the certificate for sure, and I think I will eventually be able to
dump it after playing some time with OpenSSL, but then I eventually
won't know how to integrate it into Enigmail / gpg4win.

Furthermore, I am still not sure if this is just a matter of
transforming the key or if the whole software / data exchange protocol
depends on the sort of key. In other words, even if I would manage to
extract the key and to integrate it into the Enigmail / gpg4win world,
would the communication partner be able to decrypt the respective messages?

> For GnuPG to use KBX format, you must have the modern branch which is
> 2.1 and later. For that, you need to use the experimental version of
> Gpg4Win:

This is a very important hint. I didn't even know that such a branch
exists. An average user visiting their website mainly for downloading
their software won't see any hint regarding that ... or I have missed
something.

> After you download the experimental version, you must do the follow:
[...]
> 
> I must remind you that your partner's key will still be a X.509 key and
> so you'll still need to use GPGSM to list, verify messages from and
> encrypt message to that key but now both public OpenPGP and X.509 keys
> will be stored in pubring.kbx.

Thank you very much for the manual :-) So I now know how use pubring.kbx
instead of pubring.gpg, but obviously, this is not the solution to my
problem (as I initially have thought).

The bottom line seems to be that I can't use Enigmail / gpg4win to
exchange email with communication partners which provide their keys in
form of certificates. This does not make much sense since there is a
strong trend among the big companies to provide only PGP certificates
instead of PGP keys.

Using gpgsm on the command line is not what I would like to in my daily
email routine (although I am a strong fan of the command line in other
situations).

Slightly off-topic: Does anybody eventually know if and when Enigmail /
gpg4win will support certificates?

Thank you very much,

Binarus



More information about the Gnupg-users mailing list