Daniel Kahn Gillmor <[EMAIL PROTECTED]> writes: > On Wed 2007-04-11 12:46:37 -0400, Ludovic Courtès wrote: > >> It feels strange to me to fill the user ID packet with something >> that is not an RFC822 mail name, even though this is just a >> convention. > > I agree that it feels strange! But i'm really hoping to see OpenPGP > keys used in place of X.509 certs for TLS, so we need to think about > what's the appropriate thing to put there, and how various Certificate > authorities and clients should interpret it. > > The TLS-OpenPGP draft [0] doesn't seem to say anything about it: > > Considerations about the use of the web of trust or identity and > certificate verification procedure are outside the scope of this > document. These are considered issues to be handled by the > application layer protocols. > > Is there another draft addressing this issue? I think a declared > convention for certficate verification during a TLS connection would > help folks understand this new model. When you connect to a > TLS-enabled service, you aren't connecting to an RFC 822 e-mail > address. What would you look for in the UID of an OpenPGP-style cert > offered by such a service? > > Any thoughts, suggestions, or pointers from other TLS-savvy folks on > this list?
I just realized: Do we have to use the ID packet for this purpose? Can't we define a new OpenPGP packet, similar to the X.509 Subject Alternative Name extension? I think this is similar to how X.509 evolved: first you placed the server name in the CN, then you invented an extension packet to hold it. In any case, to provide interoperability, I believe there should be an IETF document specifying this. I'm quite busy, but I would be interested in helping such a project. Approaching the tls-openpgp authors and/or the OpenPGP WG to discuss the extension could be a first step. /Simon _______________________________________________ Help-gnutls mailing list [EMAIL PROTECTED] http://lists.gnu.org/mailman/listinfo/help-gnutls
