On Sun, Sep 4, 2016 at 12:01 AM, Garreau, Alexandre <[email protected]> wrote: > Hi, I recently discovered that GnuTLS can use OpenPGP as certificate, > instead of X509, which afaik depends on the CA model…
That's true, but note that we are planning to deprecate that support: https://gitlab.com/gnutls/gnutls/issues/102 It will be replaced by raw keys when that support is available. > …yet afaik fingerprint change according standard (there are like at > least 4 versions of it for PGP (still using sha1), and at least one for > X509 (afaik still using sha1 too)), so it won’t simplify by “oh simply > check at the fingerprint and if it’s the same that I gave you it’s ok”… > anyway it wouldn’t work because since I don’t want to store my master > private key on my server I prefer to “ultimate” sign another keypair and > put it on my server… > So my question is: what does “openpgp support” (as cited there: > http://gnutls.org/openpgp.html and there http://gnutls.org/) mean? only > that the dh parameters will get signed by a privkey with the same > parameters? It directly uses openpgp certificates and keys for signatures. > cert with the specified key (at this point I could already do that > manually)? then what automation/comodity do it brings? does it only says > “that cert is secure” if it is signed by someone you trust/you certified > according GPG/GNS/whatever? You can verify the certificate against a "ring" of trusted keys. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
