ietf-openpgp
[Top] [All Lists]

Re: Principles and Principals

1997-09-24 10:54:37
From: "Bonatti Chris" <bonattic(_at_)ieca(_dot_)com>
This is a good approach, although by itself it does not address
the totality of the e-mail requirement.  You still need some way
to bind the e-mail address to the key.  Whatever the principal
is, this is a function that's got no better place to roost than
the public key infrastructure.

Yes.  See the SPKI requirements.


I think this is a great way to look at it. Using the public
key, its hash or fingerprint as *the* DN allows all sorts of
important functionality like authorisations. E-mail is probably
the most widespread use of PGP at the moment, but can be
considered separately. E-mail users in effect can state to the
world (via keyservers) that their public key 'speaks' for a
certain address (to use SPKI lingo). So, if a key is to be used
for e-mail, it must contain such a 'tag' with an e-mail
address. If not, no problem.

Unless I misunderstand you, the e-mail address is not then bound
into the certificate structure.

You misunderstand.  When used for email, the email address is signed
as part of the certificate.

The email address is a "tag", signed by the principal (and other
introducers).  Think of it as a URI.  It says where to look for the key.

WSimpson(_at_)UMich(_dot_)edu
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32
BSimpson(_at_)MorningStar(_dot_)com
    Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2

<Prev in Thread] Current Thread [Next in Thread>