On 05/02/14 11:23, Werner Koch wrote: > In general it does not make sense to use the same key - there is no > advantage.
I could think of /a/ reason to do it. You could leverage existing X.509 certifications by CAs to verify key validity in the OpenPGP world. An X.509 certification obviously certifies that a certain X.509 certificate belongs to the person or role identified by the Distinguished Name. But seen a bit differently, it certifies that that Distinguished Name has control over the key that is in the certificate. If that same key is used as an OpenPGP key, it follows that that same Distinguished Name has control over that key. So you could create a hybrid model: I assign trust to a specific CA. That CA has issued a certificate with DN "XYZ". In my public OpenPGP keyring, there exists a key with a UID "XYZ", and that public key has the same raw key material as the certificate. A key manager that manages both types of keys can now in fact infer that UID "XYZ" is validated by that CA. This approach doesn't change anything about the format of certificates in either X.509 or OpenPGP, it simply matches raw key material and DN's to UID's, and infers a measure of validity from it. Since OpenPGP UID's are usually not in the same format as DN's, people need to explicitly create such a UID to support this kind of validity inference. For a better user experience, it might be useful if frontends could work with the DN format, so such a UID is considered when matching on an e-mail address. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users