[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()'
From: |
Simon Josefsson |
Subject: |
[Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()' |
Date: |
Thu, 12 Apr 2007 11:02:29 +0200 |
User-agent: |
Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.95 (gnu/linux) |
Daniel Kahn Gillmor <address@hidden> writes:
> On Wed 2007-04-11 12:46:37 -0400, Ludovic Courtès wrote:
>
>> It feels strange to me to fill the user ID packet with something
>> that is not an RFC822 mail name, even though this is just a
>> convention.
>
> I agree that it feels strange! But i'm really hoping to see OpenPGP
> keys used in place of X.509 certs for TLS, so we need to think about
> what's the appropriate thing to put there, and how various Certificate
> authorities and clients should interpret it.
>
> The TLS-OpenPGP draft [0] doesn't seem to say anything about it:
>
> Considerations about the use of the web of trust or identity and
> certificate verification procedure are outside the scope of this
> document. These are considered issues to be handled by the
> application layer protocols.
>
> Is there another draft addressing this issue? I think a declared
> convention for certficate verification during a TLS connection would
> help folks understand this new model. When you connect to a
> TLS-enabled service, you aren't connecting to an RFC 822 e-mail
> address. What would you look for in the UID of an OpenPGP-style cert
> offered by such a service?
>
> Any thoughts, suggestions, or pointers from other TLS-savvy folks on
> this list?
I just realized: Do we have to use the ID packet for this purpose?
Can't we define a new OpenPGP packet, similar to the X.509 Subject
Alternative Name extension? I think this is similar to how X.509
evolved: first you placed the server name in the CN, then you invented
an extension packet to hold it.
In any case, to provide interoperability, I believe there should be an
IETF document specifying this. I'm quite busy, but I would be
interested in helping such a project. Approaching the tls-openpgp
authors and/or the OpenPGP WG to discuss the extension could be a
first step.
/Simon
- [Help-gnutls] Semantics of `gnutls_openpgp_key_check_hostname ()', Ludovic Courtès, 2007/04/09
- [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()', Simon Josefsson, 2007/04/11
- Re: [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()', Daniel Kahn Gillmor, 2007/04/11
- [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()', Ludovic Courtès, 2007/04/11
- Re: [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()', Daniel Kahn Gillmor, 2007/04/11
- [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()',
Simon Josefsson <=
- [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()', Ludovic Courtès, 2007/04/12
- [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()', Simon Josefsson, 2007/04/12
- [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()', Ludovic Courtès, 2007/04/12
- OpenPGP certificate verification for TLS connections [Was: Re: [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()'], Daniel Kahn Gillmor, 2007/04/12
- [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Ludovic Courtès, 2007/04/13
- Re: OpenPGP certificate verification for TLS connections [Was: Re: [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()'], Rupert Kittinger-Sereinig, 2007/04/13
- [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Ludovic Courtès, 2007/04/16
- Re: [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Rupert Kittinger-Sereinig, 2007/04/16
- [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Ludovic Courtès, 2007/04/17
- Re: [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Daniel Kahn Gillmor, 2007/04/17