Re: [TLS] Review of draft-ietf-tls-openpgp-keys-08

"Nikos Mavrogiannopoulos" <> Tue, 16 May 2006 10:17 UTC

Received: from [] ( by with esmtp (Exim 4.43) id 1Ffwck-0006E8-Pm; Tue, 16 May 2006 06:17:54 -0400
Received: from [] ( by with esmtp (Exim 4.43) id 1Ffwcj-0006E3-FD for; Tue, 16 May 2006 06:17:53 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1Ffwci-0005BM-9B for; Tue, 16 May 2006 06:17:53 -0400
Received: by with SMTP id s6so856859wxc for <>; Tue, 16 May 2006 03:17:51 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta;; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=lz0zp+IsdiqWgW78FoZQlJalp3fv/LIU3OQRKjpycwY1FnxI2cIa+QU+SfkVtdYpdefd6VSAijBnE7ElOXivf4G3I4/3MTWeQBduYfUE3+HkGi05l+Cy4U0BqkxTRNvhcDphxHzS24ZIDPf+Wq/WON1O3CfJ+RINvxiNp3pT/xI=
Received: by with SMTP id d2mr8209855wxb; Tue, 16 May 2006 03:17:51 -0700 (PDT)
Received: by with HTTP; Tue, 16 May 2006 03:17:51 -0700 (PDT)
Message-ID: <>
Date: Tue, 16 May 2006 12:17:51 +0200
From: Nikos Mavrogiannopoulos <>
To: "" <>
Subject: Re: [TLS] Review of draft-ietf-tls-openpgp-keys-08
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: <> <>
X-Google-Sender-Auth: ae74f52f463b8010
X-Spam-Score: 0.5 (/)
X-Scan-Signature: ffa9dfbbe7cc58b3fa6b8ae3e57b0aa3
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

On 5/16/06, <> wrote:

> All this ("typical way" etc, "might be signed by tens", ..) seems to
> indicate that usually a single certificate is enough, but there may
> be situations where several would be useful. In other words, the
> situation is not that different from X.509, and we should keep the
> Certificate payload as a list...

Indeed there are situations were a list might do, but there are also situations
where a graph would be better, or just a single one might do. The idea in this
draft is to keep the key exchange separate from any local verification policy.
If one wants to use the web of trust, he can use it. If somebody else
wants to use
openpgp keys the same way as PKIX certificates, he can also use the
current draft.
In all cases unknown keys are retrieved via a key server or by other means.

That approach follows the way openpgp keys are used in electronic mail
and I see no good reason to change it by introducing an openpgp key
chain in this draft.


TLS mailing list