Am Mi 05.02.2014, 00:03:23 schrieb Daniel Kahn Gillmor: > > Why wouldn't the fingerprint and the DN not be enough? The whole > > approach is based on the assumption that the X.509 certificate is > > already available. > > if the X.509 certificate is already available, nothing else needs to > be done.
That is correct but this argument doesn't make sense in the context of my proposal: You have to look for the X.509 certificate in the root CA store anyway because being part of the root CA pool is the core of my proposal. > > Using a different key would not make sense. > > why not? many of the main cartel CAs routinely set up special keys > for sub-CAs whose job is to make certain kinds of certifications. > Perhaps such a sub-CA could be made for issuing OpenPGP > certifications? Using a different key for an intermediate CA would not be a problem at all. Just the root certificate (which is pre-installed) must be the same. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users