[gnutls-help] OpenPGP instead of X509: what kind of (sub)key?

Garreau, Alexandre galex-713 at galex-713.eu
Sun Sep 4 00:01:35 CEST 2016

Hi, I recently discovered that GnuTLS can use OpenPGP as certificate,
instead of X509, which afaik depends on the CA model…

…yet afaik fingerprint change according standard (there are like at
least 4 versions of it for PGP (still using sha1), and at least one for
X509 (afaik still using sha1 too)), so it won’t simplify by “oh simply
check at the fingerprint and if it’s the same that I gave you it’s ok”…
anyway it wouldn’t work because since I don’t want to store my master
private key on my server I prefer to “ultimate” sign another keypair and
put it on my server…

So my question is: what does “openpgp support” (as cited there:
http://gnutls.org/openpgp.html and there http://gnutls.org/) mean? only
that the dh parameters will get signed by a privkey with the same
parameters? or only that gnutls will call gpg to sign a different x509
cert with the specified key (at this point I could already do that
manually)? then what automation/comodity do it brings? does it only says
“that cert is secure” if it is signed by someone you trust/you certified
according GPG/GNS/whatever?

More information about the Gnutls-help mailing list