On 02/04/2014 12:36 PM, Hauke Laging wrote: >> I don't know of a formalized way to do the other mapping, but it seems >> like it would be pretty straightforward to embed the full X.509 >> certificate in a notation packet > > Why wouldn't the fingerprint and the DN not be enough? The whole > approach is based on the assumption that the X.509 certificate is > already available.
if the X.509 certificate is already available, nothing else needs to be
done. you can compare the MPIs for the public key directly.
> Using a different key would not make sense.
why not? many of the main cartel CAs routinely set up special keys for
sub-CAs whose job is to make certain kinds of certifications. Perhaps
such a sub-CA could be made for issuing OpenPGP certifications?
> That's my opinion, too. And exactly that can be taken over to OpenPGP.
> Integrated deployment is already there, we just need the technical
> bridge from X.509 to OpenPGP. And afterwards the OpenPGP certifications
> by the CAs, of course.
I'd love to see it the other way around, actually (though maybe i'm
misunderstanding you again) -- It would be great to use S/MIME as the
message transport and encapsulation, but use OpenPGP for the certificate
model. This takes advantage of all the existing message parsing and
packaging in any existing S/MIME client, and reduces OpenPGP support to
a key management and certificate validation plugin.
To do this, i'd likely want to add a pair of S/MIME-specific subkeys to
my OpenPGP certificate (one for encryption, one for signing), so that i
can avoid re-using key material across different cryptographic messaging
schemes (i.e. not use the same signing key for both OpenPGP messages and
S/MIME messages).
Werner recently (in message ID 87zjmv127f....@vigenere.g10code.de)
indicated his acceptance of a notation named extended-us...@gnupg.org
with a value that can be set to "bitcoin". Maybe the same notation
could be used to indicate "s/mime-sign" or "s/mime-encrypt" for these
sorts of keys?
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
