Re: Debian-lex Wiki
- To: et@ihear.com, debian-lex@lists.debian.org
- Subject: Re: Debian-lex Wiki
- From: Barbara Figueirido <barbara@bariloche.com.ar>
- Date: Sat, 04 Apr 2009 21:48:21 -0300
- Message-id: <[🔎] 49D7FFD5.5080504@bariloche.com.ar>
- In-reply-to: <1238103911.7237.115.camel@vici>
- References: <1237915381.7117.40.camel@vici> <49CA0648.7060306@bariloche.com.ar> <1238002046.7144.21.camel@vici> <49CA90FD.1090207@bariloche.com.ar> <1238020186.7098.16.camel@vici> <49CADDEB.3070209@bariloche.com.ar> <1238103911.7237.115.camel@vici>
Sorry for being so late to answer!
In fact, I cannot tell you much that you don't already know, I didn't
ask myself those questions, only took them as having different uses. But
since it was a very valid question, I felt I should do some googling.
My feeling (only a feeling) is that GPG acts on the 'file' level, i.e.,
on user space level, while SSL communicates with the kernel; but I would
like more knowledgeable people to be more accurate.
>From a practical and quite locally conditioned point of view, I have
experimented with the following:
- Using GnuPG for signing/encrypting e-mails with a key-pair generated
by GPG as a halfway solution between unsigned/digitally signed
communications; I also use it sometimes for signing or encrypting
sensitive files. I don't use it as a proper digital signature, due to
the limitations imposed by our digital signatures act (law # 25506, you
can retrieve it -in spanish - from here:
http://www.safjp.gov.ar/digesto_2/index/normas/LEY 24241/Ley25506.htm),
which declares to be legally binding digital signatures only those made
with the certificates issued by certified issuing authorities (CAs) -
which is a whole different story. I don't know if it can import the keys
corresponding to these certificates (in PKCS12 format), I didn't try it
for now (according to this page: http://wiki.cacert.org/wiki/PgpSigning
it would seem that gpg can't)*.
(you can retrieve mine -although it's old and expired- here:
http://ca.sgp.gov.ar/eMail/searchCert.html , searching by last name).
According to local law, it doesn't provide a full digital signature,
because it cannot attest to the identity of the person holding the
certificate; but it was anyway a good point to start practicing. btw,
you will find a lot of certificates, since they expire every 6 months &
I had to practice and insist a lot to make them work on linux browsers.
- On the other hand, SSL is the cryptographic protocol that enables the
kernel to communicate securely over TCP/IP, as stated here:
http://en.wikipedia.org/wiki/Transport_Layer_Security (so it seems that
my first feeling wasn't that astray, was it?), it seems that any modern
distro installs it almost automatically; it is required by the Public
Key Infrastructure (PKI) that handles certificates, which seems to be
somewhat incompatible with the way gpg handles keys. For a better
description of the PKI, see here: http://en.wikipedia.org/wiki/X.509
and here: http://www.ietf.org/html.charters/pkix-charter.html . I've
used SSL in connection with the previously mentioned certificate issued
by the CA of the argentine government.
As an aside, this certificate is only for signing, not encrypting.
I'm aware that this is by no means a comprehensive description and that
each statement arises more questions, but I hope that I was able to
convey the surface of the differences between both gpg and ssl from a
practical (and quite personal) point of view.
---
*Searching a bit more on the possible interaction between gpg & the
X.509 protocol implemented by the Public Key Infrastructure I found
this: " .16) Why doesn't GnuPG support X.509 certificates?
GnuPG, first and foremost, is an implementation of the OpenPGP standard
(RFC 2440), which is a competing infrastructure, different from X.509.
They are both public-key cryptosystems, but how the public keys are
actually handled is different. " (
http://www.gnupg.org/documentation/faqs.en.html#q6.16 )
It seems to be another piece of software, called gpgsm, which can import
PKCS keys, but I've never used it.
Kind regards to all of you,
Bárbara
PD: I added "asterisk" as a communications (pbx) package to the wiki.
ter wrote:
> On Wed, 2009-03-25 at 22:44 -0300, Barbara Figueirido wrote:
>> Hello all!
>> Following Elaine's suggestion, I've edited the category
>> "confidentiality", please review this.
>>
>> http://wiki.debian.org/DebianLex/ProposedMetapackages
>>
>> Any suggestions and/or improvements are welcome.
>>
>> Kind regards,
>> Barbara
>>
> Excellent!
>
> Lots of questions. I'll ask one at a time. I use GPG and SSL for
> different things, following conventions in the software world. For legal
> practice, is one or the other more appropriate for different aspects of
> confidentiality? For example, email.
>
> I have posed this same question at the discussion subpage
> http://wiki.debian.org/DebianLex/ProposedMetapackages/Discussion. The
> answer is worth saving as part of the working page, instead of being
> buried in a list thread.
>
> Thanks,
> Elaine
>
>
>
Reply to: