[Help-gnutls] Re: OpenPGP certificate verification for TLS connections

Rupert Kittinger-Sereinig rks at mur.at
Tue Apr 17 20:22:36 CEST 2007


Ludovic Courtès schrieb:
> Hi,
> 
> Rupert Kittinger-Sereinig <rks at mur.at> writes:
> 
>> Ludovic Courtès schrieb:
>> ...
>>>> One example: a secure messaging service could have millions of
>>>> users. A gnupg keyring of this size may be a bit problematic, but a
>>>> database should handle this easily. To validate a client connection in
>>>> this scenario, we would need to:
>>>> - check for a trusted signature (including expiry and revocation), we
>>>> can keep this as simple as checking for one trusted key if we want.
>>> What do you mean by "trusted signature"?  Something like an
>>> "authorization certificate" signed by a "trusted authority" (see my
>>> previous post)?
>>>
>> I mean trusted in the sense of the pgp trustdb. Ideally, every user
>> should be able to configure how he wants to construct his web of trust.
>>
>> E.g. for a server application, the admin could choose a handfull of
>> "user managers" whose keys he would put in the keyring and assign
>> ultimte trust to each one.
>>
>> Another example: a user of web services could validate the server key
>> fingerprint, and locally sign them with his own key.
> 
> Nitpick: As mentioned earlier in this thread, signing an OpenPGP public
> key means that "the signer is testifying to his or her belief that this
> public key belongs to the user identified by this user ID" [RFC 2440,
> Section 10.1].  I think this is not what you want here.
> 
> Thanks,
> Ludovic.
> 

Why do you think so? If I verify that the key belongs to a person (e.g 
by checking the fingerprint) I may well document that for later 
reference by signing the key.

Rupert

-- 
Rupert Kittinger-Sereinig <rks at mur.at>
Krenngasse 32
A-8010 Graz
Austria






More information about the Gnutls-help mailing list