Hello, OpenPGP CA (opens in new tab)

(sequoia-pgp.org)

77 pointsnwalfield5y ago11 comments

11 comments

9 comments · 4 top-level

mawise5y ago· 3 in thread

What's the difference between this and an in-house centrally managed CA?

thayne5y ago

I'm guessing you specifically mean a SSL/TLS CA? This is for PGP keys instead of X.509 certificates.

georgyo5y ago

While you're 100% correct, some organizations use S/MIME to send signed and encrypted emails with their TLS x.509 certs signed by their companies TLS CA.

But you can also get your X.509 cert signed by a public CA and then anyone on the internet can verify your S/MIME signed email.

In practice I've only seen this in government and government contractors, but I'm sure it is done else where.

The flaws with the above approach.

1. Smaller adoption that OpenPGP

2. You normally cannot encrypt outside your organization because their is no method for key discovery. Though if you received a signed message in the past, I believe you can use that.

3. Using pubic CA infrastructure means any trusted Public CA can impersonate anyone.

The OpenPGP CA solves all these problems because pgp Web Key Directory (WKD) and that is automatically scoped to domains.

1 more reply

viraptor5y ago

This is an in-house centrally managed CA.

lapinot5y ago· 2 in thread

This makes so much sense since every identity exists in the context of some authority, some common referential. You're never completely alone as the pgp-classic web of trust implies, instead you're trusting some centrally managed keys like your distros packet signers wich you always blindly accept.. The problem is we rarely sign keys as introducers (and rightfully so) since being a CA is a big responsability. CAs are not real persons. We should probably trust a handful of public CAs with well-defined scopes (some private network, some org), a couple smaller private groups and the exceptional direct trust for the closest friends we interact with daily..

Looking forward to using this.. Although in my case the source of thruth wouldn't be openpgp keys but perhaps wireguard keys to our vpn or maybe omemo or ssh keys.

viraptor5y ago

In practice the public CAs didn't quite work out. www.cacert.org tried it, and was interesting, but didn't work out in the end. Especially now its a bit of a joke with the login page on http and the website certificate not being cross-signed, so you have to accept them explicitly.

Woung19385y ago

cacert.org unnecessarily tried to merge real-world authentication of people with certificates to sites.

upofadown5y ago

I really like the term "Scoped Trust Signatures" and will steal it. An informative way to describe that mostly unknown and underappreciated OpenPGP feature.

nine_k5y ago

This is huge.

OpenPGP can becope usable in a scope of a realistically large organization, and most of the hassle can be put on the shoulders of dedicated IT people, instead of every user.

j / k navigate · click thread line to collapse

11 comments

9 comments · 4 top-level

mawise5y ago· 3 in thread

What's the difference between this and an in-house centrally managed CA?

thayne5y ago

I'm guessing you specifically mean a SSL/TLS CA? This is for PGP keys instead of X.509 certificates.

georgyo5y ago

While you're 100% correct, some organizations use S/MIME to send signed and encrypted emails with their TLS x.509 certs signed by their companies TLS CA.

But you can also get your X.509 cert signed by a public CA and then anyone on the internet can verify your S/MIME signed email.

In practice I've only seen this in government and government contractors, but I'm sure it is done else where.

The flaws with the above approach.

1. Smaller adoption that OpenPGP

2. You normally cannot encrypt outside your organization because their is no method for key discovery. Though if you received a signed message in the past, I believe you can use that.

3. Using pubic CA infrastructure means any trusted Public CA can impersonate anyone.

The OpenPGP CA solves all these problems because pgp Web Key Directory (WKD) and that is automatically scoped to domains.

1 more reply

viraptor5y ago

This is an in-house centrally managed CA.

lapinot5y ago· 2 in thread

Looking forward to using this.. Although in my case the source of thruth wouldn't be openpgp keys but perhaps wireguard keys to our vpn or maybe omemo or ssh keys.

viraptor5y ago

Woung19385y ago

cacert.org unnecessarily tried to merge real-world authentication of people with certificates to sites.

upofadown5y ago

I really like the term "Scoped Trust Signatures" and will steal it. An informative way to describe that mostly unknown and underappreciated OpenPGP feature.

nine_k5y ago

This is huge.

OpenPGP can becope usable in a scope of a realistically large organization, and most of the hassle can be put on the shoulders of dedicated IT people, instead of every user.

j / k navigate · click thread line to collapse