Faramir-2 wrote: > > Rather than using the same key pair with x.509 and PGP, I would > suggest to use your x.509 certificate as a "proof" of your identity, and > if people accept that as a valid proof, then they would sign your pgp > key too. > Interesting, I'll look into that...
>> The paper does not propose a way to allow X.509 and OpenPGP to >> interoperate. It's instead proposing something much different, which is >> unrelated to the original poster's request. > > Right, but thinking about he said he wanted some explanations from an > user point of view, I think we should advice him to don't try to make > both standards to interoperate... at least, not at "code" level... > hmm, let me try to restate more carefully, based on my understanding (corrections welcome if I get information/terminology wrong here) I know that X.509 and OpenPGP are "incompatible" in the sense that VHS and Betamax are (were) incompatible. I'm not looking for something that works in one to work in the other. Both, however, are based on underlying cryptographic primitives to make security/identity assertions. One of those primitives is (or can be) an RSA public/private key pair and the operations using that key pair. This is used automatically by various software tools to do different things in each of the two systems. But both rely on the principles of public-key cryptography, including that a public/private key pair, when kept secret, can be used as a security/identity assertion, by encrypting messages with the private key, since the probability that someone besides the person possessing the private key could have encrypted the message can be made sufficiently small, and anyone can verify the encryption using the public key. So (and here's where I'm less clear) if I wanted to link the assertions made by my X.509 certificates and my OpenPGP keys, there's no way to automatically do this. But if I were to use the same private/public key in both cases, I can assert to a third party that the entity in control of the certificate / keys is the same entity because they are based on the same underlying cryptographic primitive. In order to verify that assertion, that third party would either have to manually transfer the underlying public key from one system to the other, or allow a reputable software tool to perform that task automatically. Such a reputable software tool may not exist right now, and therefore this approach is not useful for third parties without the manual skills to transfer public keys from one system to the other. If there is an alternative approach that makes the same kind of assertion (the entity named in a given X.509 certificate is the same entity in possession of the OpenPGP key pair), then that would suffice for me. This could conceivably involve putting some appropriate key/signature/whatever into the X.509 certificate, if I could figure out how to make the corresponding certificate signing request with the CA. -- View this message in context: http://www.nabble.com/using-gpg-with-private-keys-from-openssl-certificates--tp21057804p21074117.html Sent from the GnuPG - User mailing list archive at Nabble.com. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
