On Tue, Feb 04, 2014 at 04:55:56AM +0100, Hauke Laging wrote: [snip] > Now my point: Keys can be converted from one format to the other. The > fingerprint changes but obviously the keygrip doesn't. I believe it > would make a lot of sense to create a connection between gpg and gpgsm > and point gpgsm to the OS's and / or browser's root certificate pool. > Then a CA could offer its certificate in OpenPGP format (even conforming > to some new "standard" which makes it easier to detect this special kind > of certificate e.g. by using a comment or signature notation pointing to > the related X.509 certificate), and GnuPG could easily realize that it > is the same key. This would relieve the user from the hard decision > whether a certificate is valid (the CAs OpenPGP certificate in this > case). The user would just have to decide (like with any other OpenPGP > certificate) whether he wants to trust this CA (and how much). > > By doing so the pre-installed CA pool would become valuable for OpenPGP, > too, and it would make sense for the CAs to offer certifications for > OpenPGP certificates, too.
Assuming you trust those CAs. All of them. Having said that, you might look at how OpenSSH has included X.509 certificates in its operation. There is precedent for something like what you suggest. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient.
signature.asc
Description: Digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
