LDAP KeyServer Schemas

David Shaw dshaw@jabberwocky.com
Tue Apr 1 20:20:02 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Apr 01, 2003 at 06:56:04AM +0100, alan wrote:
> David,
> 
> Your draft IS exactly what is needed.
> 
> However, I think that the issues of secure, and authenticated
> connections to the keyserver should be addressed.
> 
> I think it appropriate behaviour to have privacy in ensuring others
> cannot see which keys you are downloading from a public keyserver.  I
> also like the idea of having a private keyserver where only
> authenticated users can post and/or retrieve keys.

All of this is possible in the current draft.  Since HKP is
functionality built on top of HTTP, anything you can do with HTTP, you
can do with HKP.  That includes basic auth, SSL, TLS, etc, etc.

> The client declaration of the keyserver should support the full URL
> - including protocol, instead of just the servername and optionally
> port.
> 
> It would then be at the discretion of the client to support http and
> then optionally any other protocol, such as https, ldap.  If you
> attempt to configure with an unsupported protocol then the OpenPGP
> client should just barff - much as wget does.

I'm not sure if you are referring to GnuPG or the draft here, but
GnuPG does exactly this.  Try setting your keyserver to
"nosuchprotocol://foobar" and retrieving a key.  Anyone is free to add
a gpgkeys_xxxx program to add a new keyserver protocol (and this
doesn't have to be a keyserver over the network - it could be a local
database lookup or something like that).

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2rc1 (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc

iD8DBQE+idhw4mZch0nhy8kRAsDYAJ0f8IQyb6KVbEmlBJKggzO6evS+hgCdED8s
3ZWx98WKSKR2ek8MkxNdYaw=
=IHnT
-----END PGP SIGNATURE-----