[Help-gnutls] Re: OpenPGP certificate verification for TLS connections

Rupert Kittinger-Sereinig rks at mur.at
Tue Apr 17 23:10:24 CEST 2007

Daniel Kahn Gillmor schrieb:
>> So what I *really* want is a host key that's signed by the systems'
>> admin key, and I want to tell my users, or rather my default suer
>> setup, "if you see a host key that's signed by _that_ key here, and
>> if you're connecting to hosts in _these_ domains, maybe print a nice
>> info the first time you see it in an interactive session, but
>> otherwise assume it's OK".
> i'd agree with this, except i'd say "if you see a host key *bound to
> the expected User ID* signed by _that_ key..."
> This is because the client should be checking not just that the key is
> signed by a trusted authority, but that the authority claims it
> belongs to the entity the client is connecting to.
> It does raise an interesting question of whether the web-of-trust
> should be able to accomodate "only trust key X signatures when they're
> bound to User IDs of the following form".  This would let you say, for
> example, "i trust dkg to identify people/servers within the
> fifthhorseman.net domain, but i'd rather not trust his identifications
> of anyone else."
> Is there a way to represent something like that in the current
> web-of-trust architecture?

In principle, this should be easy: keep different keyrings and/or 
trustdbs for different groups of user ids. whether this is easy to 
implement with concrete implementations is another question :-)


Rupert Kittinger-Sereinig <rks at mur.at>
Krenngasse 32
A-8010 Graz

More information about the Gnutls-help mailing list