Jon Callas <jon(_at_)callas(_dot_)org> writes:
On 3/11/03 9:28 AM, "Mike Markowitz" <markowitz(_at_)infoseccorp(_dot_)com>
wrote:
[Incidentally, what we're talking about is PGP's importing X.509
certificates. It imports them as V3 keys. This is a meta-2440 issue, which
is why I never brought it up.]
[...]
Any chance this will be corrected in PGP8 the near future? (Converting
a cert into a V4 key with appropriate algorithm preferences is not that hard.)
Personally, I think this is a misfeature. However, I *understand* why it was
done that way. There are a whole host of little fiddly things about making
one into a V4 key that can be completely sidestepped by making it a V3.
I've been using X.509 keys as v4 keys for PGP for ages without any problems.
You just format the key in the PGP manner and use the validity from the
cert to provide the date for the hashed key ID.
There are so many of them that making it into a V4 key could be called "a
can of worms." Certainly, it would require a couple of design meetings.
(Example worm coming out of the can -- what if the X.509 cert has in its
basic constraints that it's an encryption-only key? 2440 says that a
top-level key must be capable of signing. Possible solutions include
ignoring the issue, and making that key a sub-key while generating a new
top-level key.)
I don't try and make the X.509-derived keys *that* PGP-ish. It works fine
without going to that level, which sidesteps the whole issue.
Peter.