[gnutls-dev] On key usage flags

Ludovic Courtès ludo at gnu.org
Wed Aug 1 23:35:19 CEST 2007


Recently, I tried to use OpenPGP-based authentication with the
`RSA_NULL_MD5' cipher suite (i.e., no encryption).  To that end, I
generated (with GnuPG) an RSA OpenPGP key pair, and wrote a test program
that specifies the right kx/cipher/mac priorities.

Unfortunately, that doesn't work, because the generated OpenPGP key
doesn't have the "encryption" key usage flag, which means that
`_gnutls_selected_cert_supported_kx ()' will reject it while looking for
a cipher suite.

I don't know about X.509, but OpenPGP key usage flags are informative
rather than authoritative.  Thus, I'm wondering whether we should really
systematically pay attention to them.  Providing the option to honor
them (e.g., through user-definable hooks) may be wise, but enforcing it
doesn't feel right.  In addition, GPG doesn't really permit usage flags
to be chosen, making it hard to create a suitable key.

What do you think?


More information about the Gnutls-devel mailing list