Re: PGP keys in IKE

[Will Price <wprice@xxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tero Kivinen wrote:
> 
> Will Price writes:
> > * It is recommended that a Certificate Request payload be sent
> > with the PGP identifier so as to make sure there is no confusion
> > over certificate types.  With the imminent advent of DNS keys in
> > IKE and some people using X.509 now, I think this is going to be
> > important for all implementations.
> 
> What is the contents of the certificate request, i.e. what does the
> certificate authority field contain, and in what format? Empty?

I think the right thing to put here is the fingerprint of a
particular PGP CA Key that is desired.  We don't currently use this.

> > * The Phase 1 ID must be (regardless of whether you are using PGP
> > or X.509 or ...) based from the certificate.  In the case of PGP,
> > it must be the primary user ID.
> 
> What identity type you are using? ID_USER_FQDN? But that cannot
> contain the comment field that is usually present in the pgp-keys
> ("Tero Kivinen <kivinen@ssh.fi>"), it can only contain
> "kivinen@ssh.fi". Actually the definition in the DOI says
> "fully-qualified username string", so I am not sure if it can
> contain comment fields also...
> 
> Another possibility could be the ID_KEY_ID with the key binary key
> ID of the pgp key.

Yes, we currently use ID_KEY_ID with the full 20 byte fingerprint of
the key as the Phase 1 ID.  Has nothing to do with the primary user
ID as I had mistakenly stated in my last message.  Note that the term
"KeyID" as used in OpenPGP parlance is really just a subset of the
fingerprint bytes.

I should really write this up.

- -- Will

Will Price, Architect/Sr. Mgr., PGP Client Products
Total Network Security Division
Network Associates, Inc.


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQA/AwUBOFce66y7FkvPc+xMEQLCNQCg96FBt6opLbvf4tiMeduFCXoJ5D8AniSJ
eX9n8CxxMI0p+WvGtAOeitPe
=LV9h
-----END PGP SIGNATURE-----