[Help-gnutls] Re: OpenPGP certificate verification for TLS connections
Ludovic Courtès
ludovic.courtes at laas.fr
Wed Apr 18 09:17:31 CEST 2007
Hi,
Rupert Kittinger-Sereinig <rks at mur.at> writes:
> Ludovic Courtès schrieb:
>> Hi,
>>
>> Rupert Kittinger-Sereinig <rks at mur.at> writes:
[...]
>>> I mean trusted in the sense of the pgp trustdb. Ideally, every user
>>> should be able to configure how he wants to construct his web of trust.
>>>
>>> E.g. for a server application, the admin could choose a handfull of
>>> "user managers" whose keys he would put in the keyring and assign
>>> ultimte trust to each one.
>>>
>>> Another example: a user of web services could validate the server key
>>> fingerprint, and locally sign them with his own key.
>>
>> Nitpick: As mentioned earlier in this thread, signing an OpenPGP public
>> key means that "the signer is testifying to his or her belief that this
>> public key belongs to the user identified by this user ID" [RFC 2440,
>> Section 10.1]. I think this is not what you want here.
>>
>> Thanks,
>> Ludovic.
>>
>
> Why do you think so? If I verify that the key belongs to a person (e.g
> by checking the fingerprint) I may well document that for later
> reference by signing the key.
Just because you know for sure that key XYZ belongs to Mr. Someone whom
you've met at the pub the day before doesn't mean you grant him
_authorization_ to use the service you provide.
Instead, you need something that says "key XYZ is authorized to take
such and such actions". And this does not depend on whether key XYZ
actually belongs to Mr. Someone.
Thanks,
Ludovic.
More information about the Gnutls-help
mailing list