[prev in list] [next in list] [prev in thread] [next in thread]
List: gnupg-users
Subject: Re: Resurrecting the Monkeysphere =?UTF-8?Q?=F0=9F=90=92?=
From: John Scott via Gnupg-users <gnupg-users () gnupg ! org>
Date: 2023-08-13 3:06:49
Message-ID: 2ba70f92182cc3f886e9d221707bfbe08780d571.camel () posteo ! net
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On Sat, 2023-08-12 at 21:47 -0500, Jacob Bachmeyer wrote:
> Will there be support for importing, say, a Tor onion service keypair ont=
o an OpenPGP certificate as a subkey?
That is one of the first things I plan to work on.
> Or, perhaps more practically, importing an existing OpenSSH keypair as an=
OpenPGP subkey?
That too is a priority. I've got a lot to learn especially when it comes to=
RFC 4880 (OpenPGP), but I'll make it happen.
On the contrary, Monkeysphere has previously had an emphasis on using OpenP=
GP keys for hostname verification for SSH, which I think is not worthy of e=
ffort since that's what DNSSEC and DANE are for. Unless someone can make a =
good argument, I will be dropping this from the scope of the project.
Anywho, you made some good arguments why excessive key reuse might be a bad=
thing. That's why thinking of things in terms of subkeys is absolutely the=
way to go, so you can have as many as you want to diversify risk, but have=
them all under your master key umbrella.
Some things will be harder than others to attain. For example, GnuPG alread=
y makes it pretty easy to go from OpenPGP to OpenSSH, X.509 to OpenPGP, and=
OpenPGP to X.509, and so transitively X.509 to OpenSSH. I just now deploye=
d a new TLS certificate for johnscott.me that uses an OpenPGP subkey I just=
added. It's still an X.509 certificate, still signed by Let's Encrypt, and=
still has DANE (TLSA) records published, so it's fully compatible with the=
conventional way of doing things.
Monkeysphere will be more than just tooling; it'll also be documentation, s=
o I can share how I pulled that off. It will also be plugins and hooks into=
existing applications and widely-deployed libraries. A priority will be li=
bcurl. libcurl is very versatile and allows registering callback functions =
so you can do your own TLS certificate examination for example, so making a=
library of procedures that has functions for common Monkeyspherian use cas=
es shouldn't be too hard.
In fact, I want to show off that I'm now using an OpenPGP subkey for TLS on=
johnscott.me as of a few minutes ago, so I'm motivated to make a libcurl d=
emo happen in the next few days.
As always, thank you for your interest.
["signature.asc" (application/pgp-signature)]
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic