[gnutls-dev] question about openpgp authentication

Nikos Mavroyanopoulos nmav at gnutls.org
Sun Nov 23 18:24:09 CET 2003

On Sat, Nov 22, 2003 at 02:32:19PM -0800, Charles 'Buck' Krasic wrote:

> Hi,
> I'm experimenting with gnu-tls, to see if it might work in my video
> streaming system.   The openpgp authentication is what has attracted me
> to gnu tls.   
> I'm new to gnu tls (and gnupg too), so I'm still coming to grips with
> how the API should be used.  
> My question regards secret keys and passphrases.  It seemed that to get
> the gnutls handshake to work, I had to remove the passphrase from my
> secret key.  Is this correct?  This seems to make sense, since I can't
> see how gnutls could use the key otherwise.   If so, I would prefer that
> the key be passphrase protected, since leaving secret keys unprotected
> is generally a pretty bad idea.   Hence, is there any hope that gnutls
> might add some support for passphrase checking of secret keys?  Or is
> there some other software that would do this?  

The current gnutls' api does not allow encrypted openpgp keys. This
might change in the future, (after the first stable release). Servers need
to have the keys decrypted --because they must read the keys non-interactively,
and adding a password into a configuration file is as bad as having the
plain key. 

Clients may use encrypted keys, but they need to use gnupg for now.
They should decrypt the key (with gnupg), pass it to gnutls,
and then delete the decrypted one.

> -- Buck

Nikos Mavroyanopoulos

More information about the Gnutls-devel mailing list