-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 John W. Moore III escribió: > Faramir wrote: > >> but I remember I saw, when the cetificate generation bug in OpenSSL for >> debian machines was discovered, a site said "certificates generated by >> GnuPG are not affected". > > You may be under the impression that a Key & a Certificate are 2 > different animals. By definition, a PGP/GPG Key _is_ a Certificate. An
Once I read "a signed public key it is a certificate". I have also seen discussions about if people is using keys OR certificates... since I couldn't understand the difference (and the discussion seemed to be becoming a flame), I didn't participate on that one... So I was almost sure they were the same animal, but not sure enough to defend that position. However, since most people just know about x.509 certificates (because they are used by SSL), when I see the word "certificate", the first thing I think about, is SSL stuff related (and I think S/MIME uses the same kind of certificates). At GPG list, people usually talk about keys... so when I read "public key", the first thing I think about is OpenPGP. > x.509 Certificate is just an asymmetric Keypair issued/assigned by an > Organization whereas a PGP/GPG Key is basically a self-generated > Certificate. Clear like water... but I think it would be interesting if people could use x.509 certificates as we use GPG... I mean, if I can make a self signed certificate, and exchange it with a friend, and we could sign these certificates, and make some software to trust them (since they have been signed with my own key), I could use these certificates with outlook, or even for web site login purposes (at CAcert web site, people can use their CAcert issued certificates to login, instead of user name and password). I figure all that CAN be done... but I don't think that would be easy to do... so I though _maybe_ GPG2 would be taking a step in that direction. All I know about GPG4win (the only GPG2 software I can use, since it can't be compiled in windows environment), is it comes with a lot of software, probably even with a mail client, and "it supports x.509 certificates". But I don't know if it intends to decentralize the "trust", or if it is just about to put all security/authentication stuff together. > The 'generation bug' had to do with the software used by x.509 > Organizations to created the 'Keypair' they assigned to their clients. > GnuPG uses a different random number generation process so was not affected. Yes, but if we compare certificates created with OpenSSL, and certificates OpenPGP, it is an apples and grapes thing, so I supposed ^maybe^ they were talking about GPG2, and that GPG2 had the capability to generate x.509 keys... but I never confirmed that, so I archived it in my "maybe..." folder :-P Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJIt+h2AAoJEMV4f6PvczxAlYAH/jyf43u1mrmgVw4+S7NjfPet zGuU+EY25uU/+FervGq1XPtALTbs0p3L9a6eo06uN4AYOchGsix2Ow8joFnaMEWY HHK84zft1pk2qHEPOIPAmID8N9tNDCyHVG4Fb4z1ws60K50ExT/7npG1pWbXcIlS pr/xo9Jmps37yHdUruJT1OcLFdhE0+tGto2hJNHfX7eWHCrOoF0dQH3RPE3hmybw 70Tid3C73l1VTkbqoeCBkqJJyrgrT5BV7qpfnQgZdXsG8CG9g4HJKJ2U6vStRHrF 7tPZcgklLHPGvZp/iJsn4c2ZP79KfrpQIb+vKz+kz5D9cHNZW9B4Wtmm3oHv57E= =hMJ6 -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
