Encrypting using gpgsm and self-signed certificates
Werner Koch
wk at gnupg.org
Mon Dec 26 14:57:15 CET 2011
On Sun, 25 Dec 2011 01:23, drfarina at acm.org said:
> self-signed x509 certs via gpgsm as a mechanism for encryption.
> Unfortunately all I get back from gpgsm is "No Value". The output of
That is a misleading error message. You should also enable gpg-agent
logging in gpg-agent.conf to see the real problem.
> $ gpgsm -v --debug-level=guru -r
> 'A17951D33720CCE03E1065ABB7BBC16CC11CCBB9' -e < /dev/urandom
Surely you are joking, Daniel. Encrypting an endless random stream is
not very practical ;-).
> --encrypt --recipient $FINGERPRINT) fails. By contrast, it's more or
> less straightforward to generate an OpenPGP key, trust it, and then
> encrypt an archive with it, and that works as expected.
Welcome to the world of X.509. More seriously, the problem is that you
need to trust a given certificate and X.509 requires a PKI for it. Thus
you need some kind of root certificate which is flagged as trusted.
With the proper options (gpg-agent's --allow-mark-trusted) you can do
that for a self-signed certificate. In theory we could add a validation
model to gpgsm which always trusts a certificate. In 2.1beta3, we added
the validation model "seed" which does something like this. It trusts
all root certificates with a special attribute. If you add this this
attribute to your certificate you are done. However, the actual idea
behind that feature is, that you use a well known private key and
certifciate to issue your certificates (dubbed, the STEED Self-Signing
Nonthority). In the end it is the same as a self-signed certificate.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list