[gnutls-dev] OpenPGP Keys

Simon Josefsson simon at josefsson.org
Thu Apr 19 11:21:13 CEST 2007


Timo Schulz <twoaday at gmx.net> writes:

> Hi,
>
> I forgot to mention that the opencdk interface for retrieving
> the validity and the ownertrust of the the key is no longer
> available. Now the question is how to handle the issue.
>
> I've seen that at least cdk_trustdb_get_ownertrust() is used
> in the signature verification code.
>
> The problem is, that ownertrust is a value each openpgp application
> associates to a key and I do not think it is a good idea to let the
> gnutls server use the values of some user from existing gpg files.
>
> Frankly, I'm not sure how to implement this. Maybe we should have our
> own 'key trust' file which stores the ownertrust of the keys. But the
> question is if these values are really used by the openpgp
> authentication at all.
>
> Any comments?

I'm thinking that the trustdb file will be the GnuTLS-specific
trustdb, and thus OpenCDK can depend on the trust information in that
file.  Wouldn't that work?

Thus, it would be a bad idea to run a server with your personal
~/.gnupg/trustdb.gpg, and you would rather create a separate
trustdb.gpg for the GnuTLS server.

However, I'm not really familiar with these aspects of OpenPGP/GnuPG.
It strikes me as a bad idea to rely on GnuPG-specific files (which is
what we are doing, or?) so if it is possible to have a text file with
OpenPGP key identifiers in it that the server should trust, that seems
like a better choice.  Is there any other information in the trustdb
that GnuTLS/OpenCDK needs?

Sorry for not being that familiar with this code and the design...
I'm trying to think about it conceptually.

/Simon



More information about the Gnutls-dev mailing list