On 06/02/14 03:48, Hauke Laging wrote:
the respective CA could automatically create a signature for it as Peter has
explained
Actually, I suggested leveraging an existing X.509 certification to induce
validity in the OpenPGP model. The CA would not be actively involved.
So the best way would
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Thursday 6 February 2014 at 2:48:31 AM, in
mid:1544219.jccljRtAK9@inno, Hauke Laging wrote:
Of course, someone could both not care about
CAs and be interested in spreading OpenPGP but that
attitude would rise some very interesting
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Tuesday 4 February 2014 at 6:38:07 PM, in
mid:52f1338f.7030...@digitalbrains.com, Peter Lebbing wrote:
FWIW, CACert signs OpenPGP keys of verified people with
key 0xD2BB0D0165D0FD58 if you want them to. Since it's
1024-bit DSA, it's a
On 2/6/2014 7:32 AM, MFPA wrote:
Really not that interesting. It is possible for CAs to be used with
OpenPGP, but OpenPGP doesn't _need_ CAs.
Quite the contrary. If there are no CAs, then no certificate possesses
any validity.
Don't confuse OpenPGP doesn't need *external* CAs with OpenPGP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Thursday 6 February 2014 at 2:26:33 PM, in
mid:52f39b99.6090...@sixdemonbag.org, Robert J. Hansen wrote:
Don't confuse OpenPGP doesn't need *external* CAs
with OpenPGP doesn't need CAs. You are your own
certificate authority in OpenPGP;
On Wed, Feb 05, 2014 at 09:06:25PM +0100, Werner Koch wrote:
On Wed, 5 Feb 2014 19:04, pe...@digitalbrains.com said:
An X.509 certification obviously certifies that a certain X.509 certificate
belongs to the person or role identified by the Distinguished Name. But
seen a
Almost all
On Wed, Feb 05, 2014 at 10:30:38PM +0100, Peter Lebbing wrote:
By the way, I still think the CA certifies that the certificate belongs to the
person or role identified by the DN. The problem is that when someone vouches
for the truth of something, that doesn't make it an actual fact. It
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Thursday 6 February 2014 at 4:10:33 PM, in
mid:20140206161033.ge30...@iupui.edu, Mark H. Wood wrote:
The problem is that a CPS can say *anything*. Without
reading it, you have no way of knowing what you should
expect that CA's
I would say that where an individual makes up their own mind which
certificates to mark as valid, they are not using a CA at all. If a
second individual is asking the first individual which certificates
to accept, the second individual is using the first as a CA.
You are free to redefine black
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Thursday 6 February 2014 at 6:29:35 PM, in
mid:20140206102935.horde.-af3gsq0xd6sxqnzge2i...@mail.sixdemonbag.org,
Robert J. Hansen wrote:
You are free to redefine black as white while you're at
it.
Thanks, I'm sure it will come in handy
On Thu, Feb 6, 2014 at 2:20 PM, MFPA 2014-667rhzu3dc-lists-gro...@riseup.net
wrote:
On Thursday 6 February 2014 at 6:29:35 PM, in
mid:20140206102935.horde.-af3gsq0xd6sxqnzge2i...@mail.sixdemonbag.org,
Robert J. Hansen wrote:
When you decide which certificates to accept, you are
serving as your
No I am not. An example of a similarly false statement would be When
a trader does not employ an accountant he is serving as his own
accountant.
You don't have a false statement so much as a logical paradox: when a
trader has no accountant, he is his own accountant -- structurally,
it's
On Wed, 5 Feb 2014 06:03, d...@fifthhorseman.net said:
Werner recently (in message ID 87zjmv127f@vigenere.g10code.de)
indicated his acceptance of a notation named extended-us...@gnupg.org
with a value that can be set to bitcoin. Maybe the same notation
We can do that as soon as gniibe
On Wed, 5 Feb 2014 04:15, mailinglis...@hauke-laging.de said:
Wow. Does that mean that PGP can verify OpenPGP keys with X.509
certificates (in combination with a related OpenPGP certificate)? Or is
this just a theoretical feature?
IIRC, the PGP desktop client also integrated an IPsec
That is not what I suggest. You can assign certification trust to any
key. Why should this of all keys not be done with certain CA keys?
Ah, I had missed that nuance a bit, sorry.
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if
On 05/02/14 11:23, Werner Koch wrote:
In general it does not make sense to use the same key - there is no
advantage.
I could think of /a/ reason to do it. You could leverage existing X.509
certifications by CAs to verify key validity in the OpenPGP world.
An X.509 certification obviously
On 02/05/2014 01:04 PM, Peter Lebbing wrote:
So you could create a hybrid model:
I assign trust to a specific CA. That CA has issued a certificate with DN
XYZ.
In my public OpenPGP keyring, there exists a key with a UID XYZ, and that
public key has the same raw key material as the
On Wed, 5 Feb 2014 19:04, pe...@digitalbrains.com said:
An X.509 certification obviously certifies that a certain X.509 certificate
belongs to the person or role identified by the Distinguished Name. But seen a
Almost all X.509 certification in public use certify only one of two
things:
-
On 02/05/2014 03:06 PM, Werner Koch wrote:
Almost all X.509 certification in public use certify only one of two
things:
- Someone has pushed a few bucks over to the CA.
- Someone has convinced the CA to directly or indirectly issue a
certificate.
To further clarify: Domain
On 05/02/14 21:06, Werner Koch wrote:
Almost all X.509 certification in public use certify only one of two
things:
I never intended my message to say I would trust any CA. Hauke was looking for a
way to leverage trust in a CA; I was merely contributing something I thought he
might find
Am Mi 05.02.2014, 11:23:24 schrieb Werner Koch:
In general it does not make sense to use the same key - there is no
advantage.
I think that is not correct. It is today but not from the perspective of
my proposal.
a) If a CA uses the same key in both formats then we can get the
advantage
On Tue, Feb 04, 2014 at 04:55:56AM +0100, Hauke Laging wrote:
[snip]
Now my point: Keys can be converted from one format to the other. The
fingerprint changes but obviously the keygrip doesn't. I believe it
would make a lot of sense to create a connection between gpg and gpgsm
and point
On 02/04/2014 09:01 AM, Mark H. Wood wrote:
Having said that, you might look at how OpenSSH has included X.509
certificates in its operation. There is precedent for something like
what you suggest.
fwiw, the answer here is they haven't. Roumen Petrov's X.509 patches
remain outside of OpenSSH
On 02/03/2014 10:55 PM, Hauke Laging wrote:
This idea came to my mind while I was wondering why several CAs offer
free (but rather useless...) certificates for X.509 but not for OpenPGP.
Whatever they do with X.509 can be done with OpenPGP, too (e.g. setting
an expiration date for the
Am Di 04.02.2014, 11:09:42 schrieb Daniel Kahn Gillmor:
We have such an indicator format going in the opposite direction
(pointing from X.509 to the related OpenPGP cert). In particular,
it's the X509v3 extension known as PGPExtension
Interesting, I didn't know that.
I don't know of a
On 4 February 2014 15:47, Daniel Kahn Gillmor d...@fifthhorseman.net wrote:
On 02/04/2014 09:01 AM, Mark H. Wood wrote:
Having said that, you might look at how OpenSSH has included X.509
certificates in its operation. There is precedent for something like
what you suggest.
fwiw, the
On 4 February 2014 15:47, Daniel Kahn Gillmor d...@fifthhorseman.net wrote:
On 02/04/2014 09:01 AM, Mark H. Wood wrote:
Having said that, you might look at how OpenSSH has included X.509
certificates in its operation. There is precedent for something like
what you suggest.
fwiw, the
On 04/02/14 17:09, Daniel Kahn Gillmor wrote:
If there is a public CA that is willing to offer OpenPGP certificates, i
would like to know about it (whether they offer them with the same key they
use for their X.509 activities or not).
FWIW, CACert signs OpenPGP keys of verified people with key
On Tue, 4 Feb 2014 17:09, d...@fifthhorseman.net said:
I don't know of a formalized way to do the other mapping, but it seems
like it would be pretty straightforward to embed the full X.509
certificate in a notation packet on a self-sig (presumably a self-sig
PGP does this. IIRC, Hal Finney
Am Di 04.02.2014, 19:38:07 schrieb Peter Lebbing:
And CACert still isn't in the default
trusted root bundle on quite some systems, I believe.
And will probably never be.
extending the trust in that broken model to OpenPGP
That is not what I suggest. You can assign certification trust to
Am Di 04.02.2014, 21:05:10 schrieb Werner Koch:
On Tue, 4 Feb 2014 17:09, d...@fifthhorseman.net said:
I don't know of a formalized way to do the other mapping, but it
seems like it would be pretty straightforward to embed the full
X.509 certificate in a notation packet on a self-sig
On 02/04/2014 12:36 PM, Hauke Laging wrote:
I don't know of a formalized way to do the other mapping, but it seems
like it would be pretty straightforward to embed the full X.509
certificate in a notation packet
Why wouldn't the fingerprint and the DN not be enough? The whole
approach is
Hello,
I would like to say first that my X.509 understanding is orders of
magnitude lower that that of OpenPGP. So I hope this makes sense to
you...
This idea came to my mind while I was wondering why several CAs offer
free (but rather useless...) certificates for X.509 but not for OpenPGP.
33 matches
Mail list logo
