Installation gnupg on Windows

Faramir faramir.cl at gmail.com
Fri Aug 29 14:15:51 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

John W. Moore III escribió:
> Faramir wrote:
> 
>> but I remember I saw, when the cetificate generation bug in OpenSSL for
>> debian machines was discovered, a site said "certificates generated by
>> GnuPG are not affected".
> 
> You may be under the impression that a Key & a Certificate are 2
> different animals.  By definition, a PGP/GPG Key _is_ a Certificate.  An

  Once I read "a signed public key it is a certificate". I have also
seen discussions about if people is using keys OR certificates... since
I couldn't understand the difference (and the discussion seemed to be
becoming a flame), I didn't participate on that one... So I was almost
sure they were the same animal, but not sure enough to defend that
position. However, since most people just know about x.509 certificates
(because they are used by SSL), when I see the word "certificate", the
first thing I think about, is SSL stuff related (and I think S/MIME uses
the same kind of certificates). At GPG list, people usually talk about
keys... so when I read "public key", the first thing I think about is
OpenPGP.

> x.509 Certificate is just an asymmetric Keypair issued/assigned by an
> Organization whereas a PGP/GPG Key is basically a self-generated
> Certificate.

  Clear like water... but I think it would be interesting if people
could use x.509 certificates as we use GPG... I mean, if I can make a
self signed certificate, and exchange it with a friend, and we could
sign these certificates, and make some software to trust them (since
they have been signed with my own key), I could use these certificates
with outlook, or even for web site login purposes (at CAcert web site,
people can use their CAcert issued certificates to login, instead of
user name and password). I figure all that CAN be done... but I don't
think that would be easy to do... so I though _maybe_ GPG2 would be
taking a step in that direction. All I know about GPG4win (the only GPG2
software I can use, since it can't be compiled in windows environment),
is it comes with a lot of software, probably even with a mail client,
and "it supports x.509 certificates". But I don't know if it intends to
decentralize the "trust", or if it is just about to put all
security/authentication stuff together.

> The 'generation bug' had to do with the software used by x.509
> Organizations to created the 'Keypair' they assigned to their clients.
> GnuPG uses a different random number generation process so was not affected.

  Yes, but if we compare certificates created with OpenSSL, and
certificates OpenPGP, it is an apples and grapes thing, so I supposed
^maybe^ they were talking about GPG2, and that GPG2 had the capability
to generate x.509 keys... but I never confirmed that, so I archived it
in my "maybe..." folder :-P

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJIt+h2AAoJEMV4f6PvczxAlYAH/jyf43u1mrmgVw4+S7NjfPet
zGuU+EY25uU/+FervGq1XPtALTbs0p3L9a6eo06uN4AYOchGsix2Ow8joFnaMEWY
HHK84zft1pk2qHEPOIPAmID8N9tNDCyHVG4Fb4z1ws60K50ExT/7npG1pWbXcIlS
pr/xo9Jmps37yHdUruJT1OcLFdhE0+tGto2hJNHfX7eWHCrOoF0dQH3RPE3hmybw
70Tid3C73l1VTkbqoeCBkqJJyrgrT5BV7qpfnQgZdXsG8CG9g4HJKJ2U6vStRHrF
7tPZcgklLHPGvZp/iJsn4c2ZP79KfrpQIb+vKz+kz5D9cHNZW9B4Wtmm3oHv57E=
=hMJ6
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list