Re: [openpgp] Can the OpenPGP vs. S/MIME situation be fixed?

Peter Gutmann <> Mon, 04 July 2016 04:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A3B5D12D1E6 for <>; Sun, 3 Jul 2016 21:14:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.626
X-Spam-Status: No, score=-5.626 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vIFTrcZC7zgt for <>; Sun, 3 Jul 2016 21:14:44 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C8BBE12B01B for <>; Sun, 3 Jul 2016 21:14:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1467605683; x=1499141683; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=bfAwzibSsvMUtQJPJbdSMOSQ0RwOM2u9uNZ2Ih4agoM=; b=svE2wQbY2a7zzx0TWQN3Ha/y/m6uFW45SLEiW6uM7NUhA9t4thTjFa+j wEEaSYcdyLNl1BxHRxhxN/42VoXtB1S4JCvtUlzhFICx4hMf0eFsPw2t1 a0dw32RhmR3KtiVYyPdxHu0mS3XbwK19Ab4vk5Y81G6y/jpVeaTXi4ZZH 01u3LLbg6iPYxk9WOWqSN9pCNY4wiIfV5KWGJakiH9RaTvrKi3pHObCR1 7DjNeTwIsb84g1TiJ1h6LUS0LO113n19MKauX2BMINLLW5YE2Swb0P71R qSAm/COwWTziMPaJXpXJi+FRRnfV/DdT1vctLh8MrnZwRlPaJoAYVvyD1 Q==;
X-IronPort-AV: E=Sophos;i="5.26,573,1459771200"; d="scan'208";a="94826677"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 04 Jul 2016 16:14:40 +1200
Received: from ([]) by ([]) with mapi id 14.03.0266.001; Mon, 4 Jul 2016 16:14:40 +1200
From: Peter Gutmann <>
To: Andrey Jivsov <>, "" <>
Thread-Topic: [openpgp] Can the OpenPGP vs. S/MIME situation be fixed?
Thread-Index: AQHR050jpR81NF3KlE2UhFa6MyYJKaAGlDWAgAEQVZj//z2nAIAAy69z
Date: Mon, 04 Jul 2016 04:14:39 +0000
Message-ID: <>
References: <20160701153304.332d2c95@pc1>, <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [openpgp] Can the OpenPGP vs. S/MIME situation be fixed?
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 Jul 2016 04:14:47 -0000

Andrey Jivsov <> writes:

>One issue with storing OpenPGP KeyID in X.509 Subject Key Identifier (SKI) is
>that over the last decade and earlier popular S/MIME clients were not using
>SKI to identify a recipient. Instead, they were using the X.509 cert's Issuer
>and SN. Therefore, one will have to encode OpenPGP keyID into the SN of the
>X.509 cert to be able to locate the OpenPGP key later from the encrypted
>S/MIME message. This works if the ecosystem owns an issuing X.509 Sub-CA, so
>that it's possible to control the SNs.

We'd really need to get more data on what can handle sKID, since in my case
the use is all closed environments (banking, embedded, SCADA, etc) it's easy
enough to simply specify that the implementation needs to support sKID but
there's no current data (that I know of) on general support.  In any case I
think getting a small number of implementations to support sKID is going to be
vastly easier than asking CAs to put PGP IDs into certs.

In any case it doesn't cost anything to put the sKID/iAndS details into the
spec, and if you want it you've at least got an interoperable way of doing it.