No I am not. An example of a similarly false statement would be "When
a trader does not employ an accountant he is serving as his own
accountant."
You don't have a false statement so much as a logical paradox: when a
trader has no accountant, he is his own accountant -- structurally,
it's si
>On Thu, Feb 6, 2014 at 2:20 PM, MFPA <2014-667rhzu3dc-lists-gro...@riseup.net>
>wrote:
>
>On Thursday 6 February 2014 at 6:29:35 PM, in
>,
>Robert J. Hansen wrote:
>> When you decide which certificates to accept, you are
>> serving as your own CA.
>
>No I am not. An example of a similarly false s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Thursday 6 February 2014 at 6:29:35 PM, in
,
Robert J. Hansen wrote:
> You are free to redefine black as white while you're at
> it.
Thanks, I'm sure it will come in handy some day.
> When you decide which certificates to accept, you are
I would say that where an individual makes up their own mind which
certificates to mark as valid, they are not using a CA at all. If a
second individual is asking the first individual which certificates
to accept, the second individual is using the first as a CA.
You are free to redefine black a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Thursday 6 February 2014 at 4:10:33 PM, in
, Mark H. Wood wrote:
> The problem is that a CPS can say *anything*. Without
> reading it, you have no way of knowing what you should
> expect that CA's certificates to mean.
Another problem is
On Wed, Feb 05, 2014 at 10:30:38PM +0100, Peter Lebbing wrote:
> By the way, I still think the CA certifies that the certificate belongs to the
> person or role identified by the DN. The problem is that when someone vouches
> for the truth of something, that doesn't make it an actual fact. It somet
On Wed, Feb 05, 2014 at 09:06:25PM +0100, Werner Koch wrote:
> On Wed, 5 Feb 2014 19:04, pe...@digitalbrains.com said:
>
> > An X.509 certification obviously certifies that a certain X.509 certificate
> > belongs to the person or role identified by the Distinguished Name. But
> > seen a
>
> Alm
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Thursday 6 February 2014 at 2:26:33 PM, in
, Robert J. Hansen wrote:
> Don't confuse "OpenPGP doesn't need *external* CAs"
> with "OpenPGP doesn't need CAs." You are your own
> certificate authority in OpenPGP; remove yourself as a
> certif
On 2/6/2014 7:32 AM, MFPA wrote:
> Really not that interesting. It is possible for CAs to be used with
> OpenPGP, but OpenPGP doesn't _need_ CAs.
Quite the contrary. If there are no CAs, then no certificate possesses
any validity.
Don't confuse "OpenPGP doesn't need *external* CAs" with "OpenPGP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Tuesday 4 February 2014 at 6:38:07 PM, in
, Peter Lebbing wrote:
> FWIW, CACert signs OpenPGP keys of verified people with
> key 0xD2BB0D0165D0FD58 if you want them to. Since it's
> 1024-bit DSA, it's a bit dated in some respects. And
> CAC
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Thursday 6 February 2014 at 2:48:31 AM, in
, Hauke Laging wrote:
> Of course, someone could both not care about
> CAs and be interested in spreading OpenPGP but that
> attitude would rise some very interesting questions.
Really not that i
On 06/02/14 03:48, Hauke Laging wrote:
> the respective CA could automatically create a signature for it as Peter has
> explained
Actually, I suggested leveraging an existing X.509 certification to induce
validity in the OpenPGP model. The CA would not be actively involved.
> So the best way woul
Am Mi 05.02.2014, 00:03:23 schrieb Daniel Kahn Gillmor:
> > Why wouldn't the fingerprint and the DN not be enough? The whole
> > approach is based on the assumption that the X.509 certificate is
> > already available.
>
> if the X.509 certificate is already available, nothing else needs to
> be d
Am Mi 05.02.2014, 11:23:24 schrieb Werner Koch:
> In general it does not make sense to use the same key - there is no
> advantage.
I think that is not correct. It is today but not from the perspective of
my proposal.
a) If a CA uses the same key in both formats then we can get the
advantage wh
On 05/02/14 21:06, Werner Koch wrote:
> Almost all X.509 certification in public use certify only one of two
> things:
I never intended my message to say I would trust any CA. Hauke was looking for a
way to leverage trust in a CA; I was merely contributing something I thought he
might find interes
On 02/05/2014 03:06 PM, Werner Koch wrote:
> Almost all X.509 certification in public use certify only one of two
> things:
>
> - Someone has pushed a few bucks over to the CA.
>
> - Someone has convinced the CA to directly or indirectly issue a
>certificate.
To further clarify: "Domain V
On Wed, 5 Feb 2014 19:04, pe...@digitalbrains.com said:
> An X.509 certification obviously certifies that a certain X.509 certificate
> belongs to the person or role identified by the Distinguished Name. But seen a
Almost all X.509 certification in public use certify only one of two
things:
-
On 02/05/2014 01:04 PM, Peter Lebbing wrote:
> So you could create a hybrid model:
>
> I assign trust to a specific CA. That CA has issued a certificate with DN
> "XYZ".
> In my public OpenPGP keyring, there exists a key with a UID "XYZ", and that
> public key has the same raw key material as the
On 05/02/14 11:23, Werner Koch wrote:
> In general it does not make sense to use the same key - there is no
> advantage.
I could think of /a/ reason to do it. You could leverage existing X.509
certifications by CAs to verify key validity in the OpenPGP world.
An X.509 certification obviously cer
> That is not what I suggest. You can assign certification trust to any
> key. Why should this of all keys not be done with certain CA keys?
Ah, I had missed that nuance a bit, sorry.
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if
On Wed, 5 Feb 2014 04:15, mailinglis...@hauke-laging.de said:
> Wow. Does that mean that PGP can verify OpenPGP keys with X.509
> certificates (in combination with a related OpenPGP certificate)? Or is
> this just a "theoretical" feature?
IIRC, the PGP desktop client also integrated an IPsec c
On Wed, 5 Feb 2014 06:03, d...@fifthhorseman.net said:
> Werner recently (in message ID 87zjmv127f@vigenere.g10code.de)
> indicated his acceptance of a notation named extended-us...@gnupg.org
> with a value that can be set to "bitcoin". Maybe the same notation
We can do that as soon as gnii
On 02/04/2014 12:36 PM, Hauke Laging wrote:
>> I don't know of a formalized way to do the other mapping, but it seems
>> like it would be pretty straightforward to embed the full X.509
>> certificate in a notation packet
>
> Why wouldn't the fingerprint and the DN not be enough? The whole
> appro
Am Di 04.02.2014, 21:05:10 schrieb Werner Koch:
> On Tue, 4 Feb 2014 17:09, d...@fifthhorseman.net said:
> > I don't know of a formalized way to do the other mapping, but it
> > seems like it would be pretty straightforward to embed the full
> > X.509 certificate in a notation packet on a self-sig
Am Di 04.02.2014, 19:38:07 schrieb Peter Lebbing:
> And CACert still isn't in the default
> trusted root bundle on quite some systems, I believe.
And will probably "never" be.
> extending the trust in that broken model to OpenPGP
That is not what I suggest. You can assign certification trust t
On Tue, 4 Feb 2014 17:09, d...@fifthhorseman.net said:
> I don't know of a formalized way to do the other mapping, but it seems
> like it would be pretty straightforward to embed the full X.509
> certificate in a notation packet on a self-sig (presumably a self-sig
PGP does this. IIRC, Hal Finn
On 04/02/14 17:09, Daniel Kahn Gillmor wrote:
> If there is a public CA that is willing to offer OpenPGP certificates, i
> would like to know about it (whether they offer them with the same key they
> use for their X.509 activities or not).
FWIW, CACert signs OpenPGP keys of verified people with k
On 4 February 2014 15:47, Daniel Kahn Gillmor wrote:
> On 02/04/2014 09:01 AM, Mark H. Wood wrote:
> > Having said that, you might look at how OpenSSH has included X.509
> > certificates in its operation. There is precedent for something like
> > what you suggest.
>
> fwiw, the answer here is "t
On 4 February 2014 15:47, Daniel Kahn Gillmor wrote:
> On 02/04/2014 09:01 AM, Mark H. Wood wrote:
> > Having said that, you might look at how OpenSSH has included X.509
> > certificates in its operation. There is precedent for something like
> > what you suggest.
>
> fwiw, the answer here is "t
Am Di 04.02.2014, 11:09:42 schrieb Daniel Kahn Gillmor:
> We have such an indicator format going in the opposite direction
> (pointing from X.509 to the related OpenPGP cert). In particular,
> it's the X509v3 extension known as PGPExtension
Interesting, I didn't know that.
> I don't know of a
On 02/03/2014 10:55 PM, Hauke Laging wrote:
> This idea came to my mind while I was wondering why several CAs offer
> free (but rather useless...) certificates for X.509 but not for OpenPGP.
> Whatever they do with X.509 can be done with OpenPGP, too (e.g. setting
> an expiration date for the si
On 02/04/2014 09:01 AM, Mark H. Wood wrote:
> Having said that, you might look at how OpenSSH has included X.509
> certificates in its operation. There is precedent for something like
> what you suggest.
fwiw, the answer here is "they haven't". Roumen Petrov's X.509 patches
remain outside of Ope
On Tue, Feb 04, 2014 at 04:55:56AM +0100, Hauke Laging wrote:
[snip]
> Now my point: Keys can be converted from one format to the other. The
> fingerprint changes but obviously the keygrip doesn't. I believe it
> would make a lot of sense to create a connection between gpg and gpgsm
> and point
Hello,
I would like to say first that my X.509 understanding is orders of
magnitude lower that that of OpenPGP. So I hope this makes sense to
you...
This idea came to my mind while I was wondering why several CAs offer
free (but rather useless...) certificates for X.509 but not for OpenPGP.
W
34 matches
Mail list logo
