* Simon Josefsson:
Florian Weimer <fw(_at_)deneb(_dot_)enyo(_dot_)de> writes:
* Duane at:
Server uses of which TLS is going to be the biggest use case is the main
objective at present, most server certificates in the X.509 world have a
lot more than just dnsName, such as company name, maybe a contact, the
country, state/territory/province, town/suburb and so on and so forth.
This data is not mechanically processed (at least not in a way which is
consistent across implementations), so you can put it into notation data
subpackets.
Right, however, the TLS server name needs to be mechanically processed,
so it needs a different mechanism -- such as a new OpenPGP extension
that contains a single UTF-8 string intended for identification of
TLS+OpenPGP servers.
Hmm. There is no automatic trust model for TLS/OpenPGP, so I guess you
need to configure keys explicitly. In this case, you'd not just record
the fingerprint, but also the domain name. Problem solved.
(If you want indirection, you can configure signing keys plus a notation
name of the signature notation data subpacket to consider.)