Re: Status of RFC2440

On Thursday 21 October 2004 04:01, Hironobu SUZUKI wrote:

"X.509 is a standard". It is true because we have no any alternative
choice for CA service in OpenPGP. It is hard to make OpenPGP CA
service because there is no trust model with certificate authority in
OpenPGP.


Actually, all the necessary flags are there:

section 5.2.3.12 Trust Signature  (can be used for sub-CA signature).

section 5/2.3.14 Revocation Key (necessary for some strictly hierachical CA 
models).

section 5.2.3.20 Key Flags:
0x01 - this key may be used to certify other keys (read: Sub-CA)
0x02/0x04/0x08 - this key may be used to sign/encrypt data (read: user key)
0x10 - key escrow (minefield warning: partly patented by PGP Inc.)
0x80 - group key



All that is left to do is:
* implement support for this model in OpenPGP aware products
* issue a list of trusted CAs (public keyring) suitable for your application



        Konrad

pgpKXyfnqymxw.pgp
Description: PGP signature

<Prev in Thread]	Current Thread	[Next in Thread>
Status of RFC2440, Ian Grigg Re: Status of RFC2440, Werner Koch Re: Status of RFC2440, Ian Grigg Re: Status of RFC2440, Werner Koch Re: Status of RFC2440, Ian Grigg Re: Status of RFC2440, Werner Koch Re: Status of RFC2440, Jon Callas Re: Status of RFC2440, Ian Grigg Re: Status of RFC2440, Jon Callas Re: Status of RFC2440, Hironobu SUZUKI Re: Status of RFC2440, Konrad Rosenbaum <= Re: Status of RFC2440, Ian Grigg Re: Status of RFC2440, Derek Atkins Re: Status of RFC2440, Ian Grigg

Previous by Date:	rfc2440bis-11 - 2 more comments, Ian Grigg
Next by Date:	private key binding clarification, poiboy
Previous by Thread:	Re: Status of RFC2440, Hironobu SUZUKI
Next by Thread:	Re: Status of RFC2440, Ian Grigg
Indexes:	[Date] [Thread] [Top] [All Lists]