[Help-gnutls] Re: OpenPGP certificate verification for TLS connections
ludovic.courtes at laas.fr
Wed Apr 18 09:34:29 CEST 2007
Daniel Kahn Gillmor <dkg-debian.org at fifthhorseman.net> writes:
> Note that the OpenPGP web of trust infrastructure allows for clean,
> arbitrary authentication policy, configurable by existing tools. The
> authentication question OpenPGP asks is: "to whom does the presented
> key really belong?" The answer it gives is a list of authenticated
> User IDs: all User IDs that have been sufficiently validated by the
> web of trust.
> Given this list of User IDs, the system can now perform arbitrary
> *authorization* policy checks: Are any of the presented User IDs
> authorized to use the particular service?
> Note that the authorization layer is completely agnostic about the
> keys. This is a feature, not a bug! It means users can have multiple
> keys (if each key is signed by the appropriate trusted people), users
> can revoke old keys in the case of compromise, keys can expire, and so
> on, all without any changes to the server itself or any centralized
> control .
I think I'm only starting to get your point, sorry for the delay. ;-)
My understanding of what you're saying it this (where "I" is the
1. When I receive a connection from someone, I check the list of
signers contained in their public key (or "OpenPGP certificate", or
"transferable public key").
2. If that key is signed by someone I trust, then I can trust the
key-user ID binding itself.
3. _Since_ I trust the key-user ID binding, I can now make
authorization decisions based only on the user ID.
And this is why the contents of user ID packets matters: URIs would
indeed make it easier to implement step (3). I think I got it. :-)
That's probably a useful usage pattern. The problem that I see is that
it would be non-standard, so (getting back to the original topic) it may
be beyond the scope of GnuTLS. What would be useful, though, is a set
of tools to traverse the signer graph (as is required by step (2)).
More information about the Gnutls-help