问题描述
我正在努力解决我对数字签名和加密的使用。我知道有两种主要的方法来做到这一点:PGP方式和SSL方式。我想知道如果可以使用相同的私钥对于SSL证书和GnuPG,只要这是一个RSA 2048位密钥。
我已经有一个由CA签署的SSL证书,所以我希望使用证书的私钥作为GnuPG主密钥。
我知道我们不能以这种方式在SSL和GnuPG之间做出断言,但是我想只有一个私钥(因此只需保护一条数据)
谢谢
你可以这样做,但这不一定是好习惯。
首先,当你说SSL证书时,你可能意味着X.509证书 。 SSL / TLS大部分时间都使用X.509证书,但也可以使用 (据我所知,只有GnuTLS支持它们)。
请注意,我也使用表达式OpenPGP证书。大多数人称他们为(打开)PGP公钥,但实际上它们是证书:它们是公钥,标识符和某些属性的组合,由附加其签名的其他实体签名,以便形成整体证书。严格来说,它不只是一个公钥。
X.509证书和PGP证书之间的主要区别是X.509只能有一个签名(发卡行),而多个签名可以添加到PGP证书。 (PGP模型可用于等级PKI模型,而PKI模型不能用于处理Web-of-Trust模型。)
演示了如何将一组PGP密钥转换为自签名X.509证书。原则上,您也可以将其变成CSR,以获得CA的X.509证书。这是一个好主意,这是一个不同的事情。
首先,一段时间内重新生成新的密钥对通常是一个好主意。通常,这是X.509证书用于SSL的原因之一是有效期结束(PGP签名也可能受到限制)。
您也将有效地把你所有的鸡蛋放在同一个篮子里。如果其中一个密钥泄密,您的X.509和PGP证书都将被盗用。
更重要的是,:将它们用于两个不同的应用程序(SSL / TLS和GnuPG)只会使问题更糟。
I'm trying to sort out my use of digital signatures and encryption. I understand that there are 2 main ways to do this: the PGP way and the SSL way.
What I would like to know if it's possible to use the same private key for both SSL certificate and GnuPG, providing that this is a RSA 2048 bit key.
I already have an SSL certificate signed by a CA, so I was hoping to use that certificate's private key as the GnuPG master private key.
I know that we can't make assertions between the SSL and GnuPG this way, but I would like to have only one private key (thus only having to protect one piece of data)
Thanks
You can do this, but it's not necessarily good practice.
Firstly, when you say "SSL certificate", you probably mean "X.509 certificate". SSL/TLS uses X.509 certificates most of the time, but it can also use OpenPGP certificates (as far as I'm aware, only GnuTLS supports them).
Note that I'm also using the expression "OpenPGP certificate". Most people call them "(Open)PGP public keys", but they are in fact certificates: they're the combination of a public key, an identifier and some attributes, signed by other entities which attach their signature to it, so as to form the overall certificate. Strictly speaking, it's not just a public key.
The main difference between an X.509 certificate and a PGP certificate is that the X.509 can only have one signature (that of the issuer), whereas multiple signatures can be added onto a PGP certificate. (The PGP model can be used for a hierarchical PKI-like model, whereas the PKI model can't be used to handle the Web-of-Trust model.)
This Java code demonstrates how to "convert" a set of PGP keys into a self-signed X.509 certificate. In principle, you could also turn it into a CSR to get an X.509 certificate from CA. Whether it's a good idea to do so is a different matter.
Firstly, it's usually a good idea to re-generate new key-pairs once in a while. Typically, that's one of the reasons X.509 certificates used for SSL have an end of validity date (PGP signatures can also be limited in time).
You would also effectively put all your eggs in the same basket. If one of the key is compromised, both your X.509 and PGP certificates would be compromised.
More importantly, it's considered bad practice to re-use the same keys for signing and encryption: using them for two different applications (SSL/TLS and GnuPG) would only make the problem worse.
这篇关于GnuPG / PGP和SSL:共享相同的私钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!