On 07/03/2016 08:41 PM, Peter Gutmann wrote:
Daniel Kahn Gillmor <dkg(_at_)fifthhorseman(_dot_)net> writes:
I think we should be clear about what it would take to do what you're
proposing; there are two main angles:
* certificate interoperability (OpenPGP certs vs. X.509 certs)
This is easily solved in a technical spec, just define (to use the approach
I've been using in my code, which as worked more or less seamlessy for some
years), the use of sKID for S/MIME and issuerAndSerialNumber for PGP.
Commercial PGP products used this type of "same key, two certificates"
paradigm for over a decade. Some of this is documented in
http://www.ietf.org/mail-archive/web/openpgp/current/msg01742.html
(that's what PGP Corp. did; this write-up is incomplete).
One issue with storing OpenPGP KeyID in X.509 Subject Key Identifier
(SKI) is that over the last decade and earlier popular S/MIME clients
were not using SKI to identify a recipient. Instead, they were using the
X.509 cert's Issuer and SN. Therefore, one will have to encode OpenPGP
keyID into the SN of the X.509 cert to be able to locate the OpenPGP key
later from the encrypted S/MIME message. This works if the ecosystem
owns an issuing X.509 Sub-CA, so that it's possible to control the SNs.
* message interoperability (PGP/MIME vs. S/MIME)
This can't be solved by a technical spec, it's an application issue which you
resolve by e.g. writing a PGP plugin for Outlook.
Peter.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp