import of external certificates via command line

Bernhard Reiter bernhard at
Wed Jan 2 23:41:03 CET 2008

On Wednesday 02 January 2008 18:19, Werner Koch wrote:
> On Wed,  2 Jan 2008 18:01, bernhard at said:
> > But when my external search is working, why can't I get those
> > certificates right away?
> Because certificates are so often broken and will mess up the
> certificates you already have.  Importing all certifcates available is a
> bad idea and only needed if the PKI is broken - if it is broken tehre is
> a good chance that everything gets messed up.

I am the whole thread writing about importing a subset of certificates
that I have found by (possibly several) external searches, aka
gpgsm --list-external-keys Frodo
gpgsm --list-external-keys Sam
ah, found, now
gpgsm --with-import-please --list-external-keys Sam

> > In Germany I know the Bavarian one which responds to ldap searches.
> > There will always be keys that I do not have in my personal keybox
> > but I can find by other means.
> I usually have to resort to a general LDAP browser to locate a specific
> certificate, The automatic mode works only with proper administered LDAP
> directies (like the one you are running).

I have encountered a few now,, the Bavarian, ...
And no matter how broken a directory service is, if --list-external-keys
already found the certificiate, no matter where, it is completely beyond me, 
what there should not a command which will "import" this special subset 
of possible keys.

> > You sound like locally saved keys were a bad design idea.
> I did not say this.

You have said that a properly administered PKI would be able to locate the 
certificate you need anyway and used this argument to not add a special 
options to be able to important a selected group of externally found keys.
I do not believe the argument because it is defeated by our own design which
already (rightfully) takes into account existing PKIs.

> > However this is not the point. There are directory services you can ask
> > by LDAP which have reserved attributes for public keys. Gpgsm needs to be
> > able
> Tell me this attribute!  There is no standard for it and thus everyone
> is using a different one.  See also "retrieving a certificate by serial
> number and issuer name" (which is not possible).

 4.1. userCertificate

   The userCertificate attribute holds the X.509 certificates issued to
   the user by one or more certificate authorities, as discussed in
   clause 11.2.1 of [X.509].

      ( NAME 'userCertificate'
           DESC 'X.509 user certificate'
           EQUALITY certificateExactMatch
           SYNTAX )

It is reasonable to try this attribute when using the light weight database 


Managing Director - Owner:       (Free Software Company)
Germany Coordinator: Coordinator:
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: </pipermail/attachments/20080102/ef8f1ebf/attachment-0001.pgp>

More information about the Gnupg-devel mailing list