At first, I'd like to thank you for the great explanations. On 14.06.2017 19:21, Juan Miguel Navarro Martínez wrote:
> As far as I know, GPGSM is a GPG tool to use X.509 certificates. That's > not the OpenPGP protocol. With this said... Here is where my worry begins. AFAIK, all PGP variants are using RSA key pairs. A public X.509 certificate is just a container for such keys (and possibly has information about the certificate chain). Given that, in my naive world, it should be no problem to extract that public PGP key from the certificate; the goal would be to gain the "pure" key which then could be added to the traditional PGP (Enigmail / gpg4win) world. Of course, any information regarding the certification chain would be lost when doing so, but I really wouldn't care about that (I have downloaded the certificate from the website of a very big well-known company; the website is protected by TLS, and I have checked that there was no man in the middle). Unfortunately, I didn't find any hint on how to extract that key. It is in the certificate for sure, and I think I will eventually be able to dump it after playing some time with OpenSSL, but then I eventually won't know how to integrate it into Enigmail / gpg4win. Furthermore, I am still not sure if this is just a matter of transforming the key or if the whole software / data exchange protocol depends on the sort of key. In other words, even if I would manage to extract the key and to integrate it into the Enigmail / gpg4win world, would the communication partner be able to decrypt the respective messages? > For GnuPG to use KBX format, you must have the modern branch which is > 2.1 and later. For that, you need to use the experimental version of > Gpg4Win: This is a very important hint. I didn't even know that such a branch exists. An average user visiting their website mainly for downloading their software won't see any hint regarding that ... or I have missed something. > After you download the experimental version, you must do the follow: [...] > > I must remind you that your partner's key will still be a X.509 key and > so you'll still need to use GPGSM to list, verify messages from and > encrypt message to that key but now both public OpenPGP and X.509 keys > will be stored in pubring.kbx. Thank you very much for the manual :-) So I now know how use pubring.kbx instead of pubring.gpg, but obviously, this is not the solution to my problem (as I initially have thought). The bottom line seems to be that I can't use Enigmail / gpg4win to exchange email with communication partners which provide their keys in form of certificates. This does not make much sense since there is a strong trend among the big companies to provide only PGP certificates instead of PGP keys. Using gpgsm on the command line is not what I would like to in my daily email routine (although I am a strong fan of the command line in other situations). Slightly off-topic: Does anybody eventually know if and when Enigmail / gpg4win will support certificates? Thank you very much, Binarus _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
