import of external certificates via command line

Bernhard Reiter bernhard at intevation.de
Wed Jan 2 23:41:03 CET 2008


On Wednesday 02 January 2008 18:19, Werner Koch wrote:
> On Wed,  2 Jan 2008 18:01, bernhard at intevation.de said:
> > But when my external search is working, why can't I get those
> > certificates right away?
>
> Because certificates are so often broken and will mess up the
> certificates you already have.  Importing all certifcates available is a
> bad idea and only needed if the PKI is broken - if it is broken tehre is
> a good chance that everything gets messed up.

I am the whole thread writing about importing a subset of certificates
that I have found by (possibly several) external searches, aka
gpgsm --list-external-keys Frodo
gpgsm --list-external-keys Sam
ah, found, now
gpgsm --with-import-please --list-external-keys Sam

> > In Germany I know the Bavarian one which responds to ldap searches.
> > There will always be keys that I do not have in my personal keybox
> > but I can find by other means.
>
> I usually have to resort to a general LDAP browser to locate a specific
> certificate, The automatic mode works only with proper administered LDAP
> directies (like the one you are running).

I have encountered a few now, ca.intevation.de, the Bavarian, ...
And no matter how broken a directory service is, if --list-external-keys
already found the certificiate, no matter where, it is completely beyond me, 
what there should not a command which will "import" this special subset 
of possible keys.

> > You sound like locally saved keys were a bad design idea.
>
> I did not say this.

You have said that a properly administered PKI would be able to locate the 
certificate you need anyway and used this argument to not add a special 
options to be able to important a selected group of externally found keys.
I do not believe the argument because it is defeated by our own design which
already (rightfully) takes into account existing PKIs.

> > However this is not the point. There are directory services you can ask
> > by LDAP which have reserved attributes for public keys. Gpgsm needs to be
> > able
>
> Tell me this attribute!  There is no standard for it and thus everyone
> is using a different one.  See also "retrieving a certificate by serial
> number and issuer name" (which is not possible).

http://tools.ietf.org/html/rfc4523
as

 4.1. userCertificate

   The userCertificate attribute holds the X.509 certificates issued to
   the user by one or more certificate authorities, as discussed in
   clause 11.2.1 of [X.509].

      ( 2.5.4.36 NAME 'userCertificate'
           DESC 'X.509 user certificate'
           EQUALITY certificateExactMatch
           SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )


It is reasonable to try this attribute when using the light weight database 
protocol.

Bernhard


-- 
Managing Director - Owner: www.intevation.net       (Free Software Company)
Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com.
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: </pipermail/attachments/20080102/ef8f1ebf/attachment-0001.pgp>


More information about the Gnupg-devel mailing list