ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] OpenPGPv5 wish list

2013-04-29 04:40:17
from [ianG] [Permanent Link] 
On 29/04/13 12:15 PM, Jean-Jacques wrote:


2) What is the key used for?

And I see at least 4 purposes :
  - To authenticate itself through TLS  [RFC6091]
  - Maybe To sign other certificates (subkeys on smartcard issues)
  - To authenticate through HTTP (gpgauth or
    
https://github.com/Open-UDC/open-udc/blob/master/docs/HTTP_OpenPGP_Authentication.draft.txt)
  - To sign an OpenUDC transaction.

I work especially on the 2 last purposes. And having the possibility
for the owner to set descriptions, or more flags on its (sub)keys inside
its OpenPGP certificate, would be a more elegant solution than some
workaround we have to manage.
Some comments from my experience/perspective, only. In my work I have done this by using pgp's comment field aka uid. Here's some: 

$ gpg -k | grep uid

uid                  Iang [certification] (Africa-2012) 
<iang(_at_)iang(_dot_)org>
uid                  Iang [contract] (lowsec-PIZZA-only) 
<iang(_at_)iang(_dot_)org>
uid                  Systemics [operator] (Africa-2012) 
<iang(_at_)iang(_dot_)org>
uid                  Systemics [server] (Babba-2012) <iang(_at_)iang(_dot_)org>
uid                  Systemics [receipt] (Babba-2012) <iang(_at_)iang(_dot_)org>
uid                  Systemics [receipt] (offa-20130101) 
<iang(_at_)iang(_dot_)org>
uid                  Systemics [server] (offa-20130102) 
<iang(_at_)iang(_dot_)org>
In my software I use the [tag] for the purpose, the (text) as a human comment, and everything else as the name of the keyholder. You could do whatever tho.
Perhaps more on point, I do not want the OpenPGP system to provide me with bits that allow me to set purpose or anything else, because OpenPGP is too low-level. My designed claims like "this is an operator key" are too involved in the business layer to be foisted onto anyone else. The history of key-bits being used for human claims suggests this is a fast way to failure. E.g., non-revocation and the infamous you-must-understand-me bit.
I don't know if this logic applies to anyone else. But if it did, hypothetically, I might record your claims in my key uids as such: 



uid                  Iang [HTTP-auth] (social-networks) 
<iang(_at_)iang(_dot_)org>
uid                  Systemics [UDC-agent] (Black-2012) 
<iang(_at_)iang(_dot_)org>





iang
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] OpenPGPv5 wish list, Jean-Jacques
Next by Date:  Re: [openpgp] OpenPGPv5 wish list, Philippe Cerfon
Previous by Thread:  Re: [openpgp] OpenPGPv5 wish list, Jean-Jacques
Next by Thread:  Re: [openpgp] OpenPGPv5 wish list, Philippe Cerfon
Indexes:  [Date] [Thread] [Top] [All Lists]