Re: [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()'

[Daniel Kahn Gillmor]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed 2007-04-11 12:46:37 -0400, Ludovic Courtès wrote:

> It feels strange to me to fill the user ID packet with something
> that is not an RFC822 mail name, even though this is just a
> convention.

I agree that it feels strange!  But i'm really hoping to see OpenPGP
keys used in place of X.509 certs for TLS, so we need to think about
what's the appropriate thing to put there, and how various Certificate
authorities and clients should interpret it.

The TLS-OpenPGP draft [0] doesn't seem to say anything about it:

   Considerations about the use of the web of trust or identity and
   certificate verification procedure are outside the scope of this
   document.  These are considered issues to be handled by the
   application layer protocols.

Is there another draft addressing this issue?  I think a declared
convention for certficate verification during a TLS connection would
help folks understand this new model.  When you connect to a
TLS-enabled service, you aren't connecting to an RFC 822 e-mail
address.  What would you look for in the UID of an OpenPGP-style cert
offered by such a service?

Any thoughts, suggestions, or pointers from other TLS-savvy folks on
this list?

     --dkg

[0] http://www.ietf.org/internet-drafts/draft-ietf-tls-openpgp-keys-11.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8+ <http://mailcrypt.sourceforge.net/>

iD8DBQFGHSaWiXTlFKVLY2URArFCAKCG+rHbsaNeOnY/oSL3g9+a11MNyACg/GMm
nBG22duntyceLisKRjJ4DEk=
=O5ab
-----END PGP SIGNATURE-----