[gnutls-dev] On key usage flags
Ludovic Courtès
ludo at gnu.org
Mon Sep 10 18:30:15 CEST 2007
Hi,
ludo at gnu.org (Ludovic Courtès) writes:
> Recently, I tried to use OpenPGP-based authentication with the
> `RSA_NULL_MD5' cipher suite (i.e., no encryption). To that end, I
> generated (with GnuPG) an RSA OpenPGP key pair, and wrote a test program
> that specifies the right kx/cipher/mac priorities.
>
> Unfortunately, that doesn't work, because the generated OpenPGP key
> doesn't have the "encryption" key usage flag, which means that
> `_gnutls_selected_cert_supported_kx ()' will reject it while looking for
> a cipher suite.
>
> I don't know about X.509, but OpenPGP key usage flags are informative
> rather than authoritative. Thus, I'm wondering whether we should really
> systematically pay attention to them. Providing the option to honor
> them (e.g., through user-definable hooks) may be wise, but enforcing it
> doesn't feel right. In addition, GPG doesn't really permit usage flags
> to be chosen, making it hard to create a suitable key.
Ping! :-)
Thanks in advance,
Ludovic.
More information about the Gnutls-dev
mailing list