[gnutls-help] OpenPGP instead of X509: what kind of (sub)key?

[Garreau, Alexandre]

On 2016-09-05 at 16:33, Nikos Mavrogiannopoulos wrote:
> On Sun, Sep 4, 2016 at 12:01 AM, Garreau, Alexandre
> <galex-713 at galex-713.eu> wrote:
>> Hi, I recently discovered that GnuTLS can use OpenPGP as certificate,
>> instead of X509, which afaik depends on the CA model…
>
> That's true, but note that we are planning to deprecate that support:
> https://gitlab.com/gnutls/gnutls/issues/102
> It will be replaced by raw keys when that support is available.
>
>> …yet afaik fingerprint change according standard (there are like at
>> least 4 versions of it for PGP (still using sha1), and at least one for
>> X509 (afaik still using sha1 too)), so it won’t simplify by “oh simply
>> check at the fingerprint and if it’s the same that I gave you it’s ok”…
>> anyway it wouldn’t work because since I don’t want to store my master
>> private key on my server I prefer to “ultimate” sign another keypair and
>> put it on my server…
>> So my question is: what does “openpgp support” (as cited there:
>> http://gnutls.org/openpgp.html and there http://gnutls.org/) mean? only
>> that the dh parameters will get signed by a privkey with the same
>> parameters?
>
> It directly uses openpgp certificates and keys for signatures.

So… if I run gnutls-server somewhere, and connect to it with
gnutls-client… the fingerprints I will see are those of the opengpg
masterkey? or of the signing subkey? or is it possible to use a subkey
for this usage? what features/“usages” should have a openpgp cert used
by GnuTLS? “sign”? “certificate”?  can I use the new GnuPG Curves25519?

Or if I consider WoT doesn’t work enough [1], can I make so the key of
each person I know is “allowed” to certificate only keys owned by this
same very person (without having to “trust” everybody on everybody)?

[1]
https://lists.torproject.org/pipermail/tor-talk/2013-September/030235.html