import of external certificates via command line
Bernhard Reiter
bernhard at intevation.de
Wed Jan 2 23:41:03 CET 2008
On Wednesday 02 January 2008 18:19, Werner Koch wrote:
> On Wed, 2 Jan 2008 18:01, bernhard at intevation.de said:
> > But when my external search is working, why can't I get those
> > certificates right away?
>
> Because certificates are so often broken and will mess up the
> certificates you already have. Importing all certifcates available is a
> bad idea and only needed if the PKI is broken - if it is broken tehre is
> a good chance that everything gets messed up.
I am the whole thread writing about importing a subset of certificates
that I have found by (possibly several) external searches, aka
gpgsm --list-external-keys Frodo
gpgsm --list-external-keys Sam
ah, found, now
gpgsm --with-import-please --list-external-keys Sam
> > In Germany I know the Bavarian one which responds to ldap searches.
> > There will always be keys that I do not have in my personal keybox
> > but I can find by other means.
>
> I usually have to resort to a general LDAP browser to locate a specific
> certificate, The automatic mode works only with proper administered LDAP
> directies (like the one you are running).
I have encountered a few now, ca.intevation.de, the Bavarian, ...
And no matter how broken a directory service is, if --list-external-keys
already found the certificiate, no matter where, it is completely beyond me,
what there should not a command which will "import" this special subset
of possible keys.
> > You sound like locally saved keys were a bad design idea.
>
> I did not say this.
You have said that a properly administered PKI would be able to locate the
certificate you need anyway and used this argument to not add a special
options to be able to important a selected group of externally found keys.
I do not believe the argument because it is defeated by our own design which
already (rightfully) takes into account existing PKIs.
> > However this is not the point. There are directory services you can ask
> > by LDAP which have reserved attributes for public keys. Gpgsm needs to be
> > able
>
> Tell me this attribute! There is no standard for it and thus everyone
> is using a different one. See also "retrieving a certificate by serial
> number and issuer name" (which is not possible).
http://tools.ietf.org/html/rfc4523
as
4.1. userCertificate
The userCertificate attribute holds the X.509 certificates issued to
the user by one or more certificate authorities, as discussed in
clause 11.2.1 of [X.509].
( 2.5.4.36 NAME 'userCertificate'
DESC 'X.509 user certificate'
EQUALITY certificateExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
It is reasonable to try this attribute when using the light weight database
protocol.
Bernhard
--
Managing Director - Owner: www.intevation.net (Free Software Company)
Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com.
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: </pipermail/attachments/20080102/ef8f1ebf/attachment-0001.pgp>
More information about the Gnupg-devel
mailing list