[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Status of RFC2440

To: ietf-openpgp@xxxxxxx
Subject: Re: Status of RFC2440
From: Konrad Rosenbaum <konrad@xxxxxxxxx>
Date: Sun, 24 Oct 2004 12:08:34 +0200
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx
User-agent: KMail/1.7

On Thursday 21 October 2004 04:01, Hironobu SUZUKI wrote:
> "X.509 is a standard". It is true because we have no any alternative
> choice for CA service in OpenPGP. It is hard to make OpenPGP CA
> service because there is no trust model with certificate authority in
> OpenPGP.

Actually, all the necessary flags are there:

section 5.2.3.12 Trust Signature  (can be used for sub-CA signature).

section 5/2.3.14 Revocation Key (necessary for some strictly hierachical CA 
models).

section 5.2.3.20 Key Flags:
0x01 - this key may be used to certify other keys (read: Sub-CA)
0x02/0x04/0x08 - this key may be used to sign/encrypt data (read: user key)
0x10 - key escrow (minefield warning: partly patented by PGP Inc.)
0x80 - group key



All that is left to do is:
* implement support for this model in OpenPGP aware products
* issue a list of trusted CAs (public keyring) suitable for your application



	Konrad

Attachment: pgp00101.pgp
Description: PGP signature

References:
- Re: Status of RFC2440
  - From: Hironobu SUZUKI

Prev by Date: rfc2440bis-11 - 2 more comments
Previous by thread: Re: Status of RFC2440
Next by thread: Re: Status of RFC2440
Index(es):
- Date
- Thread