[gnutls-dev] On key usage flags

Ludovic Courtès ludo at gnu.org
Mon Sep 10 19:47:00 CEST 2007


Hi,

ludo at gnu.org (Ludovic Courtès) writes:

> I don't know about X.509, but OpenPGP key usage flags are informative
> rather than authoritative.  Thus, I'm wondering whether we should really
> systematically pay attention to them.  Providing the option to honor
> them (e.g., through user-definable hooks) may be wise, but enforcing it
> doesn't feel right.  In addition, GPG doesn't really permit usage flags
> to be chosen, making it hard to create a suitable key.

I read the relevant code again to get a better understanding of what's
going on.   Here are my findings and proposals.

  * `_gnutls_check_key_usage ()' uses CERT->KEY_USAGE.

  * `openpgp_pk_to_gnutls_cert ()' initializes CERT->KEY_USAGE based on
    the RFC 2440 key flags (Section 5.2.3.20) found in the key[*].

  * Conversely, `gnutls_openpgp_key_get_key_usage ()' returns the actual
    capabilities of the key's algorithm rather than the OpenPGP usage
    flags.

This shows an inconsistency with OpenPGP key usage handling: We should
stick to either RFC 2440 key flags or to "actual" key flags based on the
key's algorithm capabilities.

For X.509, GnuTLS doesn't have this problem:
`_gnutls_x509_crt_to_gcert ()' uses the result from
`gnutls_x509_crt_get_key_usage ()', which is the "alleged" key usage
flags found in the certificate (i.e., roughly the equivalent of RFC
2440's key flags).


Therefore:

  * For consistency, `gnutls_openpgp_key_get_key_usage ()' should be
    changed to match the behavior of `openpgp_pk_to_gnutls_cert ()',
    i.e., to return the RFC 2440 key flags.

  * X.509 users can override a certificate's usage flags through
    `gnutls_x509_crt_set_key_usage ()'.  OpenPGP should have a similar
    facility, namely `gnutls_openpgp_key_set_key_usage ()'.

Opinions?

Thanks,
Ludovic.

[*] Unless said flags are zeroed, in which case it defaults to actual
    key usage flags---but this situation is highly unlikely.




More information about the Gnutls-dev mailing list