[Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()'

Ludovic Courtès ludovic.courtes at laas.fr
Thu Apr 12 14:06:03 CEST 2007

Simon Josefsson <simon at josefsson.org> writes:

> Daniel Kahn Gillmor <dkg-debian.org at fifthhorseman.net> writes:


>> I agree that it feels strange!  But i'm really hoping to see OpenPGP
>> keys used in place of X.509 certs for TLS, so we need to think about
>> what's the appropriate thing to put there, and how various Certificate
>> authorities and clients should interpret it.


> I just realized: Do we have to use the ID packet for this purpose?
> Can't we define a new OpenPGP packet, similar to the X.509 Subject
> Alternative Name extension?  I think this is similar to how X.509
> evolved: first you placed the server name in the CN, then you invented
> an extension packet to hold it.

In any case, I believe the user ID packet should just be thought of as a
human-readable hint, no more.  You don't make authorization decisions
based on what the user ID packet contains, but rather, for instance,
based on whether that key is in your list of authorized keys for the
purpose at hand.

So I don't clearly understand what specifying new textual packets would
buy us.  I don't know much about what X.509 does, though.


More information about the Gnutls-help mailing list