[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: OpenPGP certificate verification for TLS connections
From: |
Ludovic Courtès |
Subject: |
[Help-gnutls] Re: OpenPGP certificate verification for TLS connections |
Date: |
Wed, 18 Apr 2007 09:34:29 +0200 |
User-agent: |
Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux) |
Hi,
Daniel Kahn Gillmor <address@hidden> writes:
> Note that the OpenPGP web of trust infrastructure allows for clean,
> arbitrary authentication policy, configurable by existing tools. The
> authentication question OpenPGP asks is: "to whom does the presented
> key really belong?" The answer it gives is a list of authenticated
> User IDs: all User IDs that have been sufficiently validated by the
> web of trust.
>
> Given this list of User IDs, the system can now perform arbitrary
> *authorization* policy checks: Are any of the presented User IDs
> authorized to use the particular service?
>
> Note that the authorization layer is completely agnostic about the
> keys. This is a feature, not a bug! It means users can have multiple
> keys (if each key is signed by the appropriate trusted people), users
> can revoke old keys in the case of compromise, keys can expire, and so
> on, all without any changes to the server itself or any centralized
> control [0].
I think I'm only starting to get your point, sorry for the delay. ;-)
My understanding of what you're saying it this (where "I" is the
server):
1. When I receive a connection from someone, I check the list of
signers contained in their public key (or "OpenPGP certificate", or
"transferable public key").
2. If that key is signed by someone I trust, then I can trust the
key-user ID binding itself.
3. _Since_ I trust the key-user ID binding, I can now make
authorization decisions based only on the user ID.
And this is why the contents of user ID packets matters: URIs would
indeed make it easier to implement step (3). I think I got it. :-)
That's probably a useful usage pattern. The problem that I see is that
it would be non-standard, so (getting back to the original topic) it may
be beyond the scope of GnuTLS. What would be useful, though, is a set
of tools to traverse the signer graph (as is required by step (2)).
Thanks,
Ludovic.
- OpenPGP certificate verification for TLS connections [Was: Re: [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()'], (continued)
- OpenPGP certificate verification for TLS connections [Was: Re: [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()'], Daniel Kahn Gillmor, 2007/04/12
- [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Ludovic Courtès, 2007/04/13
- Re: OpenPGP certificate verification for TLS connections [Was: Re: [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()'], Rupert Kittinger-Sereinig, 2007/04/13
- [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Ludovic Courtès, 2007/04/16
- Re: [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Rupert Kittinger-Sereinig, 2007/04/16
- [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Ludovic Courtès, 2007/04/17
- Re: [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Daniel Kahn Gillmor, 2007/04/17
- Re: [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Matthias Urlichs, 2007/04/17
- Re: [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Daniel Kahn Gillmor, 2007/04/17
- Re: [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Rupert Kittinger-Sereinig, 2007/04/17
- [Help-gnutls] Re: OpenPGP certificate verification for TLS connections,
Ludovic Courtès <=
- Re: [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Daniel Kahn Gillmor, 2007/04/18
- [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Ludovic Courtès, 2007/04/19
- Re: [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Rupert Kittinger-Sereinig, 2007/04/17
- [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Ludovic Courtès, 2007/04/18
- Re: [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Daniel Kahn Gillmor, 2007/04/18