[Help-gnutls] Re: OpenPGP certificate verification for TLS connections
Rupert Kittinger-Sereinig
rks at mur.at
Tue Apr 17 23:10:24 CEST 2007
Daniel Kahn Gillmor schrieb:
>
>> So what I *really* want is a host key that's signed by the systems'
>> admin key, and I want to tell my users, or rather my default suer
>> setup, "if you see a host key that's signed by _that_ key here, and
>> if you're connecting to hosts in _these_ domains, maybe print a nice
>> info the first time you see it in an interactive session, but
>> otherwise assume it's OK".
>
> i'd agree with this, except i'd say "if you see a host key *bound to
> the expected User ID* signed by _that_ key..."
>
> This is because the client should be checking not just that the key is
> signed by a trusted authority, but that the authority claims it
> belongs to the entity the client is connecting to.
>
> It does raise an interesting question of whether the web-of-trust
> should be able to accomodate "only trust key X signatures when they're
> bound to User IDs of the following form". This would let you say, for
> example, "i trust dkg to identify people/servers within the
> fifthhorseman.net domain, but i'd rather not trust his identifications
> of anyone else."
>
> Is there a way to represent something like that in the current
> web-of-trust architecture?
>
In principle, this should be easy: keep different keyrings and/or
trustdbs for different groups of user ids. whether this is easy to
implement with concrete implementations is another question :-)
Rupert
--
Rupert Kittinger-Sereinig <rks at mur.at>
Krenngasse 32
A-8010 Graz
Austria
More information about the Gnutls-help
mailing list