openpgp + subkeys
nmav at gnutls.org
Wed Jan 16 18:06:15 CET 2008
I've been working a bit lately on the openpgp support of gnutls. The planned
1. To handle subkeys
2. To list/generate keyrings using certtool
3. To list openpgp certificates/keys using certtool
The first is partially completed. However I've come across a limitation of the
current protocol for openpgp keys (rfc5081). It seems currently there is no
way to indicate to the peer which subkey to use, thus always the primary key
has to be used.
Moreover it states that the key has to be marked for authentication, but it
seems there is no way to arbitrarily mark a public key with gpg (or I
couldn't find it).
For this reason now on the stable release we always use the primary key and
ignore the flags of the public keys.
On the development release I plan to implement a subkey negotiation -by
sending a keyid at the initial hello messages to indicate the (sub)key that
will be used during this handshake.
I was also investigating to using the first subkey with authentication flag
set, but it seems this approach is not that optimal. Other subkeys might be
present and the selection of the first seems arbitrary. Thus I'm most in
favour of the first solution.
What do you think? Any other ideas or comments?
More information about the Gnutls-devel