[Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()'
simon at josefsson.org
Thu Apr 12 11:02:29 CEST 2007
Daniel Kahn Gillmor <dkg-debian.org at fifthhorseman.net> writes:
> On Wed 2007-04-11 12:46:37 -0400, Ludovic Courtès wrote:
>> It feels strange to me to fill the user ID packet with something
>> that is not an RFC822 mail name, even though this is just a
> I agree that it feels strange! But i'm really hoping to see OpenPGP
> keys used in place of X.509 certs for TLS, so we need to think about
> what's the appropriate thing to put there, and how various Certificate
> authorities and clients should interpret it.
> The TLS-OpenPGP draft  doesn't seem to say anything about it:
> Considerations about the use of the web of trust or identity and
> certificate verification procedure are outside the scope of this
> document. These are considered issues to be handled by the
> application layer protocols.
> Is there another draft addressing this issue? I think a declared
> convention for certficate verification during a TLS connection would
> help folks understand this new model. When you connect to a
> TLS-enabled service, you aren't connecting to an RFC 822 e-mail
> address. What would you look for in the UID of an OpenPGP-style cert
> offered by such a service?
> Any thoughts, suggestions, or pointers from other TLS-savvy folks on
> this list?
I just realized: Do we have to use the ID packet for this purpose?
Can't we define a new OpenPGP packet, similar to the X.509 Subject
Alternative Name extension? I think this is similar to how X.509
evolved: first you placed the server name in the CN, then you invented
an extension packet to hold it.
In any case, to provide interoperability, I believe there should be an
IETF document specifying this. I'm quite busy, but I would be
interested in helping such a project. Approaching the tls-openpgp
authors and/or the OpenPGP WG to discuss the extension could be a
More information about the Gnutls-help