[Help-gnutls] Re: OpenPGP certificate verification for TLS connections

Rupert Kittinger-Sereinig rks at mur.at
Mon Apr 16 22:28:08 CEST 2007 

Ludovic Courtès schrieb:
...
>> One example: a secure messaging service could have millions of
>> users. A gnupg keyring of this size may be a bit problematic, but a
>> database should handle this easily. To validate a client connection in
>> this scenario, we would need to:
>> - check for a trusted signature (including expiry and revocation), we
>> can keep this as simple as checking for one trusted key if we want.
> 
> What do you mean by "trusted signature"?  Something like an
> "authorization certificate" signed by a "trusted authority" (see my
> previous post)?
> 

I mean trusted in the sense of the pgp trustdb. Ideally, every user 
should be able to configure how he wants to construct his web of trust.

E.g. for a server application, the admin could choose a handfull of 
"user managers" whose keys he would put in the keyring and assign 
ultimte trust to each one.

Another example: a user of web services could validate the server key 
fingerprint, and locally sign them with his own key.

>> - now that we know the ID is authentic, we can look it up in the
>> database and decide what the client is allowed to do.
>>

One more point: even if the user id is relevant and not the key, key 
revocation must still ber handled on a key basis. But this is only 
necessary for key compromise, which should be a rare event. If a user 
should be denied access, this can be handled via his id.

>> As for he content of ids, I agree with Daniel: using URIs seems the
>> logical choice to me, at least for servers.
> 
> Why?  How does this derive from the authorization scheme you just
> sketched?
> 

I did not want to imply that this follows from the first part, I just 
wanted to say I think it is the right thing to do :-)

To be more precise, I would suggest using URIs a defined in RFC 2396, 
section 3, without the additional restriction that the path and query 
components must be empty.

Since this is also a straightforward method to define how to access the 
server, it should be easy for the client to check.

cheers,
Rupert

-- 
Rupert Kittinger-Sereinig <rks at mur.at>
Krenngasse 32
A-8010 Graz
Austria

More information about the Gnutls-help mailing list