[Help-gnutls] Re: OpenPGP certificate verification for TLS connections

Ludovic Courtès ludovic.courtes at laas.fr
Thu Apr 19 10:17:30 CEST 2007


Hi,

Daniel Kahn Gillmor <dkg-debian.org at fifthhorseman.net> writes:

> On Wed 2007-04-18 03:34:29 -0400, Ludovic Courtès wrote:

[...]

>> That's probably a useful usage pattern.  The problem that I see is
>> that it would be non-standard, 
>
> I'm not convinced that using User IDs for authorization is
> non-standard.

[...]

> In short, the client *authenticates* with her certificate, and the
> server *authorizes* against her User ID.

Right, but that's X.509.  ;-)  By "non-standard", I meant that it is not
currently standardized, e.g., by RFC 2440.

> By analogy with OpenSSL (which contains significant infrastructure for
> managing X.509 certificate hierarchy trust), i would suggest that it
> is not outside the scope of GnuTLS to implement a well-thought-out
> scheme for trust checking when using OpenPGP certificates.

Sure, but the first step would probably to try and standardize this
practice through an RFC.

Thanks,
Ludovic.






More information about the Gnutls-help mailing list