On 29/04/13 12:15 PM, Jean-Jacques wrote:
2) What is the key used for?
And I see at least 4 purposes :
- To authenticate itself through TLS [RFC6091]
- Maybe To sign other certificates (subkeys on smartcard issues)
- To authenticate through HTTP (gpgauth or
https://github.com/Open-UDC/open-udc/blob/master/docs/HTTP_OpenPGP_Authentication.draft.txt)
- To sign an OpenUDC transaction.
I work especially on the 2 last purposes. And having the possibility
for the owner to set descriptions, or more flags on its (sub)keys inside
its OpenPGP certificate, would be a more elegant solution than some
workaround we have to manage.
Some comments from my experience/perspective, only. In my work I have
done this by using pgp's comment field aka uid. Here's some:
$ gpg -k | grep uid
uid Iang [certification] (Africa-2012)
<iang(_at_)iang(_dot_)org>
uid Iang [contract] (lowsec-PIZZA-only)
<iang(_at_)iang(_dot_)org>
uid Systemics [operator] (Africa-2012)
<iang(_at_)iang(_dot_)org>
uid Systemics [server] (Babba-2012) <iang(_at_)iang(_dot_)org>
uid Systemics [receipt] (Babba-2012) <iang(_at_)iang(_dot_)org>
uid Systemics [receipt] (offa-20130101)
<iang(_at_)iang(_dot_)org>
uid Systemics [server] (offa-20130102)
<iang(_at_)iang(_dot_)org>
In my software I use the [tag] for the purpose, the (text) as a human
comment, and everything else as the name of the keyholder. You could do
whatever tho.
Perhaps more on point, I do not want the OpenPGP system to provide me
with bits that allow me to set purpose or anything else, because OpenPGP
is too low-level. My designed claims like "this is an operator key" are
too involved in the business layer to be foisted onto anyone else. The
history of key-bits being used for human claims suggests this is a fast
way to failure. E.g., non-revocation and the infamous
you-must-understand-me bit.
I don't know if this logic applies to anyone else. But if it did,
hypothetically, I might record your claims in my key uids as such:
uid Iang [HTTP-auth] (social-networks)
<iang(_at_)iang(_dot_)org>
uid Systemics [UDC-agent] (Black-2012)
<iang(_at_)iang(_dot_)org>
iang
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp