[gnutls-dev] On key usage flags
Ludovic Courtès
ludo at gnu.org
Mon Sep 10 19:47:00 CEST 2007
Hi,
ludo at gnu.org (Ludovic Courtès) writes:
> I don't know about X.509, but OpenPGP key usage flags are informative
> rather than authoritative. Thus, I'm wondering whether we should really
> systematically pay attention to them. Providing the option to honor
> them (e.g., through user-definable hooks) may be wise, but enforcing it
> doesn't feel right. In addition, GPG doesn't really permit usage flags
> to be chosen, making it hard to create a suitable key.
I read the relevant code again to get a better understanding of what's
going on. Here are my findings and proposals.
* `_gnutls_check_key_usage ()' uses CERT->KEY_USAGE.
* `openpgp_pk_to_gnutls_cert ()' initializes CERT->KEY_USAGE based on
the RFC 2440 key flags (Section 5.2.3.20) found in the key[*].
* Conversely, `gnutls_openpgp_key_get_key_usage ()' returns the actual
capabilities of the key's algorithm rather than the OpenPGP usage
flags.
This shows an inconsistency with OpenPGP key usage handling: We should
stick to either RFC 2440 key flags or to "actual" key flags based on the
key's algorithm capabilities.
For X.509, GnuTLS doesn't have this problem:
`_gnutls_x509_crt_to_gcert ()' uses the result from
`gnutls_x509_crt_get_key_usage ()', which is the "alleged" key usage
flags found in the certificate (i.e., roughly the equivalent of RFC
2440's key flags).
Therefore:
* For consistency, `gnutls_openpgp_key_get_key_usage ()' should be
changed to match the behavior of `openpgp_pk_to_gnutls_cert ()',
i.e., to return the RFC 2440 key flags.
* X.509 users can override a certificate's usage flags through
`gnutls_x509_crt_set_key_usage ()'. OpenPGP should have a similar
facility, namely `gnutls_openpgp_key_set_key_usage ()'.
Opinions?
Thanks,
Ludovic.
[*] Unless said flags are zeroed, in which case it defaults to actual
key usage flags---but this situation is highly unlikely.
More information about the Gnutls-dev
mailing list