[gnutls-help] OpenPGP instead of X509: what kind of (sub)key?

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Sep 5 16:33:38 CEST 2016

On Sun, Sep 4, 2016 at 12:01 AM, Garreau, Alexandre
<galex-713 at galex-713.eu> wrote:
> Hi, I recently discovered that GnuTLS can use OpenPGP as certificate,
> instead of X509, which afaik depends on the CA model…

That's true, but note that we are planning to deprecate that support:
It will be replaced by raw keys when that support is available.

> …yet afaik fingerprint change according standard (there are like at
> least 4 versions of it for PGP (still using sha1), and at least one for
> X509 (afaik still using sha1 too)), so it won’t simplify by “oh simply
> check at the fingerprint and if it’s the same that I gave you it’s ok”…
> anyway it wouldn’t work because since I don’t want to store my master
> private key on my server I prefer to “ultimate” sign another keypair and
> put it on my server…
> So my question is: what does “openpgp support” (as cited there:
> http://gnutls.org/openpgp.html and there http://gnutls.org/) mean? only
> that the dh parameters will get signed by a privkey with the same
> parameters?

It directly uses openpgp certificates and keys for signatures.

> cert with the specified key (at this point I could already do that
> manually)? then what automation/comodity do it brings? does it only says
> “that cert is secure” if it is signed by someone you trust/you certified
> according GPG/GNS/whatever?

You can verify the certificate against a "ring" of trusted keys.


More information about the Gnutls-help mailing list