[prev in list] [next in list] [prev in thread] [next in thread]
List: gnupg-devel
Subject: Re: get the trust level of an external key
From: Jbar <jeanjacquesbrucker () gmail ! com>
Date: 2012-01-18 6:08:46
Message-ID: 201201180708.51444.jeanjacquesbrucker () gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Le mardi 17 janvier 2012 22:13:52, Daniel Kahn Gillmor a écrit :
> On 01/17/2012 02:50 PM, Jbar wrote:
> >
> > Is there a way to check the trust level of an external certificate before
> > to import it ? or are we forced to import it, check its trust and then
> > remove it (or not) ?
>
> If instead, you're talking about the validity of User IDs, you should be
> aware that this is not the same thing as trust (and that it can change
> over time, e.g. as certifications expire, keys are revoked, etc).
Yes, I am talking about validity, I was saying "trust" because it is written as so in \
some old GnuPG manuals. Better choice is to designate this both concepts with the \
words "validity" and "ownertrust", indeed. (Instead of words "trust" and \
"ownertrust").
>
> In either case, though, it's probably simplest to import the key to get
> gpg to do any sort of sophisticated operations on it.
>
> if you want to avoid contaminating one particular keyring, you could set
> up multiple GNUPGHOME directories -- one for triage, and once a key has
> passed triage, it could be exported into the "cleaner" keyring. Whether
> this is a useful arrangement probably depends on the needs and
> implementation of the rest of your system, though.
>
> hth,
>
> --dkg
I won't like to import the key as in fact I already manage several keyrings. My use \
is close to something needed relative to the RFC 6091 \
http://tools.ietf.org/html/rfc6091 which you did write with Nikolas Mavrogiannopoulos \
* :
I have agents (also called bots) which send their OpenPGP certificate (with sigs), \
to others. Each agent maintain the same keyring, the smallest possible (only \
minimized valid certificates, and with ownertrust=4:marginal) (and which contain only \
individual/human certificates).
I then want to check the validity of the agent/bot certificate (according to the \
individual/human keyring).**
I have check what GnuTLS does about that : \
http://www.gnu.org/software/gnutls/manual/html_node/OpenPGP- \
API.html#gnutls_005fopenpgp_005fcrt_005fverify_005fring ; and that is not sufficient \
to detect validity of the certificate, which should so be done manually :-(.
I don't know if GnuTLS use libgpgme, but to test with gpg the validity of an \
external key may be a great feature, for GnuTLS, Monkeysphere, and OpenUDC (our \
project).
What do you think ? (Is there someone to code the patch, please ?)
*: _Note 1:_ I don't use RFC6091 or GnuTLS today, because I don't care/need about \
encryption and don't code in C but with bash to develop and test the required \
software architectures and features faster
**: _Note 2:_ about our indivudual/human and agent/bot certificates, we wrote draft : \
https://github.com/jbar/open- \
udc/blob/master/docs/Authentication_Mechanisms.draft.txt (not completely up to date, \
comments welcomes).
["signature.asc" (application/pgp-signature)]
_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic