Replacement subkeys
David Shaw
dshaw@jabberwocky.com
Thu Sep 20 04:15:02 2001
--QTprm0S8XgL7H0Dt
Content-Type: multipart/mixed; boundary="azLHFNyN32YCQGCU"
Content-Disposition: inline
--azLHFNyN32YCQGCU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Sep 20, 2001 at 02:27:04AM +0100, Nick Lamb wrote:
> On Wed, Sep 19, 2001 at 08:39:28PM -0400, David Shaw wrote:
> > You're doing it just right, and so is GnuPG. There is, alas, a bug in
> > some of the HKP keyservers that makes them unable to handle keys with
> > multiple subkeys.
>=20
> That's definitely a problem. Is this infectious (ie servers with a bug
> destroy data and then transmit the incomplete data on to other servers) ?
Alas, yes.
> > I'm afraid I don't know exactly *which* keyservers are buggy.
> > certserver.pgp.com is known good, but is not a HKP keyserver so you
> > need to use the web interface or my LDAP keyserver addition to GnuPG.
> > I believe pgp.dtype.org is good as well, and it's a HKP server.
>=20
> Tested with pgp.dtype.org and fared no better. An LDAP add-on sounds
> good but it's not included in my default build right?
Not any default build, but I've attached patch info. I hope to get it
as part of GnuPG eventually. In the meantime, the more people that
test it the better :)
David
--=20
David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/
+--------------------------------------------------------------------------=
-+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson
--azLHFNyN32YCQGCU
Content-Type: message/rfc822
Content-Disposition: inline
Date: Sun, 9 Sep 2001 17:07:05 -0400
From: David Shaw <dshaw@jabberwocky.com>
To: gnupg-devel@gnupg.org
Subject: LDAP keyserver patch
Message-ID: <20010909170705.B610@akamai.com>
Mail-Followup-To: gnupg-devel@gnupg.org
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="tjCHc7DPkfUGtrlw"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
X-PGP-Key: 2048R/3CB3B415/4D 96 83 18 2B AF BE 45 D0 07 C4 07 51 37 B3 18
X-URL: http://www.jabberwocky.com/
X-Phase-Of-Moon: The Moon is Waning Gibbous (61% of Full)
X-Pointless-Random-Number: 216
X-Silly-Header: It sure is.
--tjCHc7DPkfUGtrlw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi folks,
Well, the FSF and I have worked out an assignment agreement that we
both can live with, so to celebrate, here's LDAP keyserver support for
GnuPG.
This is actually generic keyserver support so GnuPG can speak to any
keyserver type, even types that are site specific. It is implemented
as stub code in GnuPG itself and separate helper programs to do the
actual talking to keyservers. The reason for this is security - GnuPG
doesn't need thousands of lines of keyserver code when they can be
much better put in an untrusted application.
Included in the patch is a helper application for LDAP and another one
for email keyservers. You need OpenLDAP installed to enable LDAP
support.
To use the new feature, you need to tell GnuPG which keyserver helper
to call. Do this by adding the protocol to the keyserver names in
your options file. For example:
# Old HKP keyservers still work
keyserver x-hkp://wwwkeys.pgp.net
# New LDAP keyserver
keyserver ldap://certserver.pgp.com
# Email keyserver
keyserver mailto://pgp-public-keys@keys.pgp.net
For backwards compatibility, if you don't specify a protocol, GnuPG
assumes it's a HKP keyserver. For HKP, the patch will still call the
internal HKP keyserver code, but I hope to move the HKP code to a
separate application at some point.
After applying the patch via the usual patch -p1, you should run
automake and autoconf to rebuild configure and the makefiles. After
that, the usual ./configure and make should do it.
The patch is against 1.0.6 (not 1.0.6a), and should be considered
experimental for now. As always, comments welcome.
Get the patch at:
http://www.jabberwocky.com/crypto/patch.gnupg-1.0.6.dms.keyserver.1
David
--=20
David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/
+--------------------------------------------------------------------------=
-+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson
--tjCHc7DPkfUGtrlw
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iQEVAwUBO5vZ+Yccwqs8s7QVAQH5wgf8C/XHEyy1fgS9O7kuqfEzDDCpGzZr37vh
M7NzjowbD6i1u/sr5O2aBxhE2xRyMzoZCzaYdk3ZHlNcm/Xg+EszzyJkD+vXa3/V
gSHtYAfjhugw3Gp6K+WatMXjSPbmH5KmppDYUnkM8VCiuDZaxJMJdbwNBiccWvty
WTry7+B/WSGgL81/e+/loof0qWMC8DZKpObUZLIzz6ICJee1gDfmlRdayX9KL9D0
mXxxsA5y3JnD0KP1vXzyWLvCFlf1LzcHXy32KmBopb828UwI7/y2rI8rRAWDjdnx
Tstl/boiWcFj5Suq6Imt7+E8Fg3XRRGPRzXyakMmqsX1pji1S5tUAA==
=LKRX
-----END PGP SIGNATURE-----
--tjCHc7DPkfUGtrlw--
--azLHFNyN32YCQGCU--
--QTprm0S8XgL7H0Dt
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iQEVAwUBO6lQnYccwqs8s7QVAQEXIgf/amUF3e4W0+AMnMk31h7bnLC9ZpT/VYOl
1aAGi+dy/pjNdOSyfGbofta14gtqDBH0Ugd2AG8qy6C21wPDARBU/pZN//PV08Lr
VBN7MkrYehXN9zWZbVEFKgyusprHPws02rJsgyZ0EQl3b4dz7ycea0GZezalsy1A
RAOYRDzZLEf0m8wNApURj5fe5CFX83PVrjGiffGKUqZkO7qz4Kl5MdmxuzXx6HVC
CK/WM3J3aO3TW+fYITTPjhJtiZEbvkO76rJmCMUQiC1aB76vN2qhGWUsft3T+7ge
ziI2nFdBBsaVam39ujl8zkwUu576lup78pLdPnnE5rK8mhQ3KjYrrg==
=bWL0
-----END PGP SIGNATURE-----
--QTprm0S8XgL7H0Dt--