Robert J. Hansen wrote: > arghman wrote: >> So (and here's where I'm less clear) if I wanted to link the assertions made >> by my X.509 certificates and my OpenPGP keys, there's no way to >> automatically do this. But if I were to use the same private/public key in >> both cases, I can assert to a third party that the entity in control of the >> certificate / keys is the same entity because they are based on the same >> underlying cryptographic primitive. > > And the answer is the same as before: this is possible although very > difficult and usually not worth it.
I tried this some years ago and concur with Robert. PGP Desktop will read a X.509 cert into its keyring. What you get is a RSA key with no expiration date with a CA certification as a signature packet which has no impact on the key's functionality once it expires. That's not the way X.509 is supposed to work. This key pair may be exported and imported into GnuPG where it will be seen as a nonselfsigned key with an invalid signature packet (the CA certification). C:\WINNT>gpg --list-key 0xbe81a801 pub 2048R/BE81A801 2005-09-16 uid Thawte Freemail Member <john.cli...@earthlink.net> C:\WINNT>gpg --list-sigs 0xbe81a801 pub 2048R/BE81A801 2005-09-16 uid Thawte Freemail Member <john.cli...@earthlink.net> sig X 00000000 2005-09-16 [User ID not found] You can use the raw key material from a X.509 cert in GnuPG after you've massaged and cleaned it up a bit. But it really doesn't gain you anything. Each of the two copies have no effect on the other. The CA's certification is ignored in OpenPGP. Any additional OpenPGP signatures have no effect on the X.509 validity or trust. IMO, A lot of work for no real benefit. YMMV. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=help Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels"
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users