tags:

views:

33

answers:

2
Q: 

is it possible to create an ssl certificate out of a pgp public/private key ?

i have a pgp public/private (RSA) key pair that my friends trust. i have a webserver running and i'd like to generate an ssl certificate whose public key matches my pgp public key.

does that make any sense ? is that possible ? is that safe ?

+1  A: 

Though both are a form of public-key cryptography, they are different. See http://forums.comodo.com/digital-certificates-encryption-and-digital-signing/what-is-the-difference-between-ssl-public-key-and-pgp-public-key-t21909.0.html

 2010-10-31 00:59:05
Yep, understood that they serve different purposes (packaging and intended usage). The question, however, is whether you can use the same public key for both cases.
 2010-10-31 17:02:00
That link is quite confusing, what a lot of people call "PGP public keys" are in fact certificates: http://www.pgpi.org/doc/pgpintro/ (This being said, the purpose of a PGP certificate and that of an X.509 certificate are different indeed.)
Bruno  2010-10-31 21:34:42
+1  A: 

If the key format in your PGP key is supported in the X.509 format too, it's possible. RSA is one of them.

Here is a Java implementation that turns a PGP certificate into a self-signed X.509 certificate, using BouncyCastle (You'll need to load the BouncyCastle security provider before loading it).

Note that what most people call a PGP public key is in fact a PGP certificate. The public key itself is the RSA key (or other format) which is contained within those certificates. Hence it's possible to take the key material and use it in the other. However, by doing so, you lose the information that makes the PGP certificate a certificate: the binding of the key to an identity and the signatures added by others (following the PGP model).

You could potentially put the extra information of the PGP certificate into your own extension in the X.509 certificate perhaps.

Whether it makes sense to do so probably depends on what you want to achieve. Re-using the same key material more or less implies that "you" (ID behind the PGP certificate) and your webserver become one and the same, since if one private key is compromised, so is the other (Apache Httpd, for example, requires the private key not to be password-protected when they're stored on the server, although it would often only be accessible by the root user). In addition, this probably won't help much your visitors who're going to visit the website, unless they want to dig within the "unknown certificate" warning box to check the public key matches yours (which they may know).

Bruno  2010-10-31 21:29:57

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL