OpenPGP Browser Support

Duane duane at e164.org
Fri Jul 25 00:37:18 CEST 2008


Daniel Kahn Gillmor wrote:

> Some implementation decisions would need to be made:
> 
>  * do you want to use/interact with the user's standard GPG keyring
>    for any of this?

This is going to open a can of worms, but disallowing this is
detrimental for security, X.509 has a very small amount of deployment
because of the 'pop-up tax', there is nothing intrinsically wrong with
X.509, however you are fighting mind set if you go down that path.

>  * do you want to use the full web-of-trust model, or is a list of
>    trusted authorities (similar to the current X.509 model)
>    sufficient?

There is no practical or technical reason both can't be accommodated,
I've already been in contact with the guys from CAcert over this, I'll
probably have to do the coding, but they are more than happy to sign
OpenPGP keys in the same manner as X.509 certs and given demand I doubt
any other CA would choose not to support this as well, money is money
after all.

>  * how do you plan to match the OpenPGP User IDs to hosts?  Is just
>    the name sufficient?  What about alternate ports?  (e.g. is
>    "www.example.com" the User ID you'll look for?  or should it be
>    "https://www.example.com/"?  Or for alternate ports (e.g. not 443
>    for https), should it be "www.example.com:4343" ? I don't believe
>    the RFC actually specifies what must go here (though i'd be happy
>    to be shown otherwise).

I have some ideas about this as well ;)

No the RFC didn't specify what has to go where and this is bad, ideally
we need an RFC specifically on this topic and I've been trying to make
some head way on this subject but have had a general lack of feed back.

I have written in depth about this topic already, so rather than repeat
myself I'll just paste a link to the relevant document:

http://open-pgp.info/wiki/index.php?title=DNS_Encryption_Draft

Although it doesn't cover port, I'm afraid I don't know enough about the
TLS protocol to comment on if https would be suitable or not, but there
is always the escalation with TLS, but the downside is information is
leaked or changed in transit. These days the way to get a new prefix
like https is through SRV records, eg _httpg._tcp ...

> I'd really love to see this project get underway, but i haven't seen
> anyone doing it yet.

Me too!

-- 

Best regards,
 Duane

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20080725/a8570e60/attachment.pgp>


More information about the Gnutls-devel mailing list