gnutls + openpgp

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Nov 6 05:32:24 CET 2012


On 11/03/2012 03:26 PM, Nikos Mavrogiannopoulos wrote:
>  It seem that the IETF TLS working group is defining a new certificate
> type extension, which in short makes the openpgp certificate type
> extension obsolete. The authors of the new draft are not very keen into
> adding the openpgp key type into the new certificate type extension,
> based on the fact that this is not widely used. So my question is does
> it really make sense to pursue that? Are there applications using gnutls
> with openpgp keys?
> 
> And even more, if it is shown they are not widely used, does it make
> sense to support openpgp keys in gnutls at all?

given the hassle involved in convincing other major TLS implementations
to adopt TLS extensions, and the lack of adoption of OpenPGP
certificates in TLS in general, i've been thinking recently that the
simpler approach is just to propose and implement new "standards" within
the X.509 space and allow the verifiers to transform the weird
certificates on either side.  The worst thing that happens there is
something akin to a browser warning; and if you can propose an X.509
verification routine or plugin for the peers, it's possibly narrower in
scope than asking for a TLS extension.

The downside of this approach, of course, is that there's no clear way
to signal that a non-standard X.509 certificate would be acceptable for
the remote peer :(  Oh, and the other major downside of course is that
the X.509 format is a really ungainly one, if you had to choose a
generic container.

I'm pretty disheartened by the TLS WG's rationales for discarding RFC
6091 when working on oob-key, though.  If the main concern is that there
isn't a mechanism for indicating the difference between what kinds of
certificates you're prepared to offer, and what kind of certificates
you're prepared to accept, then it seems to me that should be fixed as a
revision of 6091, rather than maintain two separate registries of
certificate types.

I'd reply with something like this on the IETF list, but i'm not sure
how useful that would be, given the back-and-forth you've already had.

Any thoughts on what sort of feedback i might give that would be useful?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20121105/450b450e/attachment.pgp>


More information about the Gnutls-help mailing list