Joe Smith wrote:
For example, your CA can revoke your key leaving you with one key that is invalid X.509, but valid OpenPGP? Yuck!
Using the X.509 cert and OpenPGP public key (having the same private key) could be useful in the following scenario: 1. You must periodically pay to your CA to renew your certificate 2. OpenPGP trust model isn't as 'strong' as X.509 (i.e. there aren't many trusted introducers) So, you pay ONCE to some CA to issue you short-lived, widely-trusted certificate. It will expire after a year or so, but.. you can continue to use your OpenPGP key as long as you deem it's OK. The point is that your _identity_ doesn't change when the X.509 cert expires. So, continuing to use the X.509 (expired) private key solves problem 1. Having X.509 cert in the first place, solves problem 2.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
