LDAP KeyServer Schemas

alan alan@balclutha.org
Tue Apr 1 08:04:02 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David,

Your draft IS exactly what is needed.

However, I think that the issues of secure, and authenticated
connections to the keyserver should be addressed.

I think it appropriate behaviour to have privacy in ensuring others
cannot see which keys you are downloading from a public keyserver.  I
also like the idea of having a private keyserver where only
authenticated users can post and/or retrieve keys.

The client declaration of the keyserver should support the full URL -
including protocol, instead of just the servername and optionally port.

It would then be at the discretion of the client to support http and
then optionally any other protocol, such as https, ldap.  If you attempt
to configure with an unsupported protocol then the OpenPGP client should
just barff - much as wget does.

The other thing that should be supported/supportable is basic http
authentication.  I haven't had an opportunity to look at the user-agent
aspect of gnupg, but I hope it is addressing exactly this issue.  Again,
it would not be that difficult to implement a rather stupid default
handler that picks up a colon separated userid/pwd combo from the
options file, base64 encodes it and sends it in response to a 401 error.

That's my two cents worth on your fine draft!

Cheers, Alan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2rc1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+iSVKCfroLk4EZpkRAqPpAJwLXAQB/M7a/gRMnAEU0nGQd/MAqQCcDtgh
+kgBivjEySLCIR0URAcxFds=
=LhxJ
-----END PGP SIGNATURE-----