Andrey Jivsov <openpgp(_at_)brainhub(_dot_)org> writes:
One issue with storing OpenPGP KeyID in X.509 Subject Key Identifier (SKI) is
that over the last decade and earlier popular S/MIME clients were not using
SKI to identify a recipient. Instead, they were using the X.509 cert's Issuer
and SN. Therefore, one will have to encode OpenPGP keyID into the SN of the
X.509 cert to be able to locate the OpenPGP key later from the encrypted
S/MIME message. This works if the ecosystem owns an issuing X.509 Sub-CA, so
that it's possible to control the SNs.
We'd really need to get more data on what can handle sKID, since in my case
the use is all closed environments (banking, embedded, SCADA, etc) it's easy
enough to simply specify that the implementation needs to support sKID but
there's no current data (that I know of) on general support. In any case I
think getting a small number of implementations to support sKID is going to be
vastly easier than asking CAs to put PGP IDs into certs.
In any case it doesn't cost anything to put the sKID/iAndS details into the
spec, and if you want it you've at least got an interoperable way of doing it.
Peter.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp