Nikos Mavroyanopoulos <nmav(_at_)hellug(_dot_)gr> writes:
Hello,
Some days ago I posted to ietf-tls WG mailing list, a modification
of the draft-ietf-tls-openpgp-01. Since this is about openpgp,
I decided to post it here too.
The original post:
I wanted to use openpgp certificates with TLS, but
draft-ietf-tls-openpgp-01 is expired, and had some properties that I did
not like. Here I modified the tls-openpgp draft in a way that:
* no new cipher suites need to be defined, in order to use openpgp keys
* does not use keyIDs but key fingerprints
I'd appreciate any comments on this.
You probably do not want to assume that the fingerprint is 20 octets
long; fingerprints on v3 RSA keys are only 16 octets long. So, your
definition of PGPFingerprint<20> wont work with all OpenPGP keys.
Since you're already assuming DSS keys by your 20-octet fingerprint,
it should be noted that the v4 (DSS) keyID is just the lower 64-bits
of the fingerprint. (RFC2440: 11.2)
You probably want to send along the keyID as well as the fingerprint.
Most implementations can only lookup a key based on the keyID. As a
result, you wont be able to easily lookup v3 RSA keys if you only send
the fingerprint. I would recommend you change the definition to:
opaque PGPKeyID<8>
opaque PGPFingerprintV3<16>
opaque PGPFingerprintV4<20>
struct {
PGPKeyVersion keyVersion;
select (keyVersion) {
case v3: PGPFingerprintV3;
case v4: PGPFingerprintV4;
}
PGPKeyID;
} PGPKeyDescriptor;
And then use the PGPKeyDescriptor in your Certificate structure.
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord(_at_)MIT(_dot_)EDU PGP key available