openPGP LDAP Support
V. Alex Brennen
vab@cryptnet.net
Thu Jun 14 17:31:02 2001
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Should we include LDAP/S support as defined by NAI in
openPGP clients and keyservers? Or should we not support
NAI's LDAP/PGP integration implementation?
I've finished the beta version of my keyserver and I'm
about to release it. I was looking into supporting LDAP
in the initial release, rather than adding it later.
However, I think that LDAP support as currently defined
by NAI is perhaps more harmful than helpful (*3,3.1,3.2).
X.509 integration aside, NAI compatible(*1,1.1) LDAP
querying support would be useful in an open keyserver.
Unfortunately, it looks as though NAI SDK licensing(*2)
precludes this.
It appears as though there may have been some effort by
the working group on developing an LDAP standard(*4) for
openPGP. Do anyone know the status on that? Is it still
being worked on or considered? Perhaps, LDAP support should
not be implemented until that open standard is developed.
Personally, the openPGP keyserver I've been working on
backends to the postgres rdbms. This makes for very
fast querying because PGP packets do not need to be
processed to produce meta-results (fp, keyid, UID & sig
lists). Also, the keys are stored as BLOBs (OIDs) in the
DB allowing for relational integrity of key material, and
transactional support in key material additions. I see
these properties as very beneficial and I can't see
going back to a GDBM or Berkeley DB based server.
OpenLDAP, the LDAP implementation I would likely use
does not support any RDBMS, and considers the use of
an RDBMS to be contrary(?) to the LDAP design(*5).
I don't know enough about LDAP to speak intelligently
on the topic. The use of LDAP in NAI PGP is my first
exposure to LDAP. However, from discussions on
openPGP related lists and the OpenLDAP links below,
it appears as though the development of a new LDAP
openPGP integration standard is necessary and would
most likely be very beneficial.
I just can't see implementing NAI PGP LDAP in a GPL'd
product right now - or even any product called "open".
Perhaps, I have inaccurate information?
Thanks,
- VAB
References:
(1) http://www.OpenLDAP.org/lists/openldap-devel/199901/msg00022.html
(1.1) http://rednest.rosinter.ru/pgp_ldap_server.htm
(2) http://www.OpenLDAP.org/lists/openldap-devel/199902/msg00009.html
(3) http://www.openldap.org/lists/openldap-devel/200010/msg00070.html
(3.1) http://www.openldap.org/lists/openldap-devel/200010/msg00072.html
(3.2) http://www.openldap.org/lists/openldap-devel/200010/msg00074.html
(4) http://www.OpenLDAP.org/lists/openldap-devel/199901/msg00026.html
(5) http://www.openldap.org/lists/openldap-software/200006/msg00023.html
On Sun, 10 Jun 2001, Hironobu SUZUKI wrote:
> Hi,
>
> I have a question about LDAP for PGP public keyserver.
>
> I'm thinking that my PGP public keyserver support only "hkp protocol",
> because PGP public keyserver will be accessed from PGP/GPG or
> httpd-cgi with hkp protocol. I think that hkp protocol is enough for
> search/post someone's pgp public key. (I don't care about private CA
> or marketing oriented products.)
>
> Do you think that LDAP should be supported? If you think so, please
> let me know why LDAP is required.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Made with pgp4pine 1.76
iD8DBQE7KNin+pIJc5kqSz8RApFzAJ4mN7zPrAbWKa3kE/Fvlw4RNI48BACdHasH
8cuDYRA2GgHYNo2Foffel88=
=l1I6
-----END PGP SIGNATURE-----