On 02/05/2014 01:04 PM, Peter Lebbing wrote: > So you could create a hybrid model: > > I assign trust to a specific CA. That CA has issued a certificate with DN > "XYZ". > In my public OpenPGP keyring, there exists a key with a UID "XYZ", and that > public key has the same raw key material as the certificate. A key manager > that > manages both types of keys can now in fact infer that UID "XYZ" is validated > by > that CA. > > This approach doesn't change anything about the format of certificates in > either > X.509 or OpenPGP, it simply matches raw key material and DN's to UID's, and > infers a measure of validity from it. Since OpenPGP UID's are usually not in > the > same format as DN's, people need to explicitly create such a UID to support > this > kind of validity inference. For a better user experience, it might be useful > if > frontends could work with the DN format, so such a UID is considered when > matching on an e-mail address.
If you're interested in this sort of hybrid approach, please take a look
at the monkeysphere validation agent's msva-perl git repository, which
contains a perl script "openpgp2x509" :
git://git.monkeysphere.info/msva-perl
I also have rather half-baked code called "2ca" that operates a
minimalist "dual-stack" certificate authority which creates certificates
in both OpenPGP and X.509 forms. In particular, it takes an OpenPGP
certificate, certifies selected User IDs on it, and then produces an
X.509 certificate derived from the relevant key (or subkey) based on the
User ID and key usage flags:
git://lair.fifthhorseman.net/~dkg/2ca
I'd welcome patches or suggestions or fixes. Please don't try to deploy
this in any sort of production environment without understanding it
fully and thinking it through.
If you want to follow up in detail about these projects, and if Werner
feels it's off-topic for this list, followup on the Monkeysphere
development list would be fine:
Monkeysphere Developers <monkeysph...@lists.riseup.net>
Regards,
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
