On 2016-09-05 at 16:33, Nikos Mavrogiannopoulos wrote: > On Sun, Sep 4, 2016 at 12:01 AM, Garreau, Alexandre > <[email protected]> wrote: >> Hi, I recently discovered that GnuTLS can use OpenPGP as certificate, >> instead of X509, which afaik depends on the CA model… > > That's true, but note that we are planning to deprecate that support: > https://gitlab.com/gnutls/gnutls/issues/102 > It will be replaced by raw keys when that support is available. > >> …yet afaik fingerprint change according standard (there are like at >> least 4 versions of it for PGP (still using sha1), and at least one for >> X509 (afaik still using sha1 too)), so it won’t simplify by “oh simply >> check at the fingerprint and if it’s the same that I gave you it’s ok”… >> anyway it wouldn’t work because since I don’t want to store my master >> private key on my server I prefer to “ultimate” sign another keypair and >> put it on my server… >> So my question is: what does “openpgp support” (as cited there: >> http://gnutls.org/openpgp.html and there http://gnutls.org/) mean? only >> that the dh parameters will get signed by a privkey with the same >> parameters? > > It directly uses openpgp certificates and keys for signatures.
So… if I run gnutls-server somewhere, and connect to it with gnutls-client… the fingerprints I will see are those of the opengpg masterkey? or of the signing subkey? or is it possible to use a subkey for this usage? what features/“usages” should have a openpgp cert used by GnuTLS? “sign”? “certificate”? can I use the new GnuPG Curves25519? Or if I consider WoT doesn’t work enough [1], can I make so the key of each person I know is “allowed” to certificate only keys owned by this same very person (without having to “trust” everybody on everybody)? [1] https://lists.torproject.org/pipermail/tor-talk/2013-September/030235.html _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
