[Help-gnutls] Re: OpenPGP certificate verification for TLS connections
rks at mur.at
Mon Apr 16 22:28:08 CEST 2007
Ludovic Courtès schrieb:
>> One example: a secure messaging service could have millions of
>> users. A gnupg keyring of this size may be a bit problematic, but a
>> database should handle this easily. To validate a client connection in
>> this scenario, we would need to:
>> - check for a trusted signature (including expiry and revocation), we
>> can keep this as simple as checking for one trusted key if we want.
> What do you mean by "trusted signature"? Something like an
> "authorization certificate" signed by a "trusted authority" (see my
> previous post)?
I mean trusted in the sense of the pgp trustdb. Ideally, every user
should be able to configure how he wants to construct his web of trust.
E.g. for a server application, the admin could choose a handfull of
"user managers" whose keys he would put in the keyring and assign
ultimte trust to each one.
Another example: a user of web services could validate the server key
fingerprint, and locally sign them with his own key.
>> - now that we know the ID is authentic, we can look it up in the
>> database and decide what the client is allowed to do.
One more point: even if the user id is relevant and not the key, key
revocation must still ber handled on a key basis. But this is only
necessary for key compromise, which should be a rare event. If a user
should be denied access, this can be handled via his id.
>> As for he content of ids, I agree with Daniel: using URIs seems the
>> logical choice to me, at least for servers.
> Why? How does this derive from the authorization scheme you just
I did not want to imply that this follows from the first part, I just
wanted to say I think it is the right thing to do :-)
To be more precise, I would suggest using URIs a defined in RFC 2396,
section 3, without the additional restriction that the path and query
components must be empty.
Since this is also a straightforward method to define how to access the
server, it should be easy for the client to check.
Rupert Kittinger-Sereinig <rks at mur.at>
More information about the Gnutls-help