[gnutls-dev] On key usage flags

Ludovic Courtès ludo at gnu.org
Mon Sep 10 18:30:15 CEST 2007


ludo at gnu.org (Ludovic Courtès) writes:

> Recently, I tried to use OpenPGP-based authentication with the
> `RSA_NULL_MD5' cipher suite (i.e., no encryption).  To that end, I
> generated (with GnuPG) an RSA OpenPGP key pair, and wrote a test program
> that specifies the right kx/cipher/mac priorities.
> Unfortunately, that doesn't work, because the generated OpenPGP key
> doesn't have the "encryption" key usage flag, which means that
> `_gnutls_selected_cert_supported_kx ()' will reject it while looking for
> a cipher suite.
> I don't know about X.509, but OpenPGP key usage flags are informative
> rather than authoritative.  Thus, I'm wondering whether we should really
> systematically pay attention to them.  Providing the option to honor
> them (e.g., through user-definable hooks) may be wise, but enforcing it
> doesn't feel right.  In addition, GPG doesn't really permit usage flags
> to be chosen, making it hard to create a suitable key.

Ping!  :-)

Thanks in advance,

More information about the Gnutls-devel mailing list