Replacement subkeys

David Shaw dshaw@jabberwocky.com
Thu Sep 20 04:15:02 2001


--QTprm0S8XgL7H0Dt
Content-Type: multipart/mixed; boundary="azLHFNyN32YCQGCU"
Content-Disposition: inline


--azLHFNyN32YCQGCU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Sep 20, 2001 at 02:27:04AM +0100, Nick Lamb wrote:

> On Wed, Sep 19, 2001 at 08:39:28PM -0400, David Shaw wrote:
> > You're doing it just right, and so is GnuPG. There is, alas, a bug in
> > some of the HKP keyservers that makes them unable to handle keys with
> > multiple subkeys.
>=20
> That's definitely a problem. Is this infectious (ie servers with a bug
> destroy data and then transmit the incomplete data on to other servers) ?
Alas, yes.
> > I'm afraid I don't know exactly *which* keyservers are buggy.
> > certserver.pgp.com is known good, but is not a HKP keyserver so you
> > need to use the web interface or my LDAP keyserver addition to GnuPG.
> > I believe pgp.dtype.org is good as well, and it's a HKP server.
>=20
> Tested with pgp.dtype.org and fared no better. An LDAP add-on sounds
> good but it's not included in my default build right?
Not any default build, but I've attached patch info. I hope to get it as part of GnuPG eventually. In the meantime, the more people that test it the better :) David --=20 David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +--------------------------------------------------------------------------= -+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson --azLHFNyN32YCQGCU Content-Type: message/rfc822 Content-Disposition: inline Date: Sun, 9 Sep 2001 17:07:05 -0400 From: David Shaw <dshaw@jabberwocky.com> To: gnupg-devel@gnupg.org Subject: LDAP keyserver patch Message-ID: <20010909170705.B610@akamai.com> Mail-Followup-To: gnupg-devel@gnupg.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="tjCHc7DPkfUGtrlw" Content-Disposition: inline User-Agent: Mutt/1.2.5i X-PGP-Key: 2048R/3CB3B415/4D 96 83 18 2B AF BE 45 D0 07 C4 07 51 37 B3 18 X-URL: http://www.jabberwocky.com/ X-Phase-Of-Moon: The Moon is Waning Gibbous (61% of Full) X-Pointless-Random-Number: 216 X-Silly-Header: It sure is. --tjCHc7DPkfUGtrlw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi folks, Well, the FSF and I have worked out an assignment agreement that we both can live with, so to celebrate, here's LDAP keyserver support for GnuPG. This is actually generic keyserver support so GnuPG can speak to any keyserver type, even types that are site specific. It is implemented as stub code in GnuPG itself and separate helper programs to do the actual talking to keyservers. The reason for this is security - GnuPG doesn't need thousands of lines of keyserver code when they can be much better put in an untrusted application. Included in the patch is a helper application for LDAP and another one for email keyservers. You need OpenLDAP installed to enable LDAP support. To use the new feature, you need to tell GnuPG which keyserver helper to call. Do this by adding the protocol to the keyserver names in your options file. For example: # Old HKP keyservers still work keyserver x-hkp://wwwkeys.pgp.net # New LDAP keyserver keyserver ldap://certserver.pgp.com # Email keyserver keyserver mailto://pgp-public-keys@keys.pgp.net For backwards compatibility, if you don't specify a protocol, GnuPG assumes it's a HKP keyserver. For HKP, the patch will still call the internal HKP keyserver code, but I hope to move the HKP code to a separate application at some point. After applying the patch via the usual patch -p1, you should run automake and autoconf to rebuild configure and the makefiles. After that, the usual ./configure and make should do it. The patch is against 1.0.6 (not 1.0.6a), and should be considered experimental for now. As always, comments welcome. Get the patch at: http://www.jabberwocky.com/crypto/patch.gnupg-1.0.6.dms.keyserver.1 David --=20 David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +--------------------------------------------------------------------------= -+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson --tjCHc7DPkfUGtrlw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iQEVAwUBO5vZ+Yccwqs8s7QVAQH5wgf8C/XHEyy1fgS9O7kuqfEzDDCpGzZr37vh M7NzjowbD6i1u/sr5O2aBxhE2xRyMzoZCzaYdk3ZHlNcm/Xg+EszzyJkD+vXa3/V gSHtYAfjhugw3Gp6K+WatMXjSPbmH5KmppDYUnkM8VCiuDZaxJMJdbwNBiccWvty WTry7+B/WSGgL81/e+/loof0qWMC8DZKpObUZLIzz6ICJee1gDfmlRdayX9KL9D0 mXxxsA5y3JnD0KP1vXzyWLvCFlf1LzcHXy32KmBopb828UwI7/y2rI8rRAWDjdnx Tstl/boiWcFj5Suq6Imt7+E8Fg3XRRGPRzXyakMmqsX1pji1S5tUAA== =LKRX -----END PGP SIGNATURE----- --tjCHc7DPkfUGtrlw-- --azLHFNyN32YCQGCU-- --QTprm0S8XgL7H0Dt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iQEVAwUBO6lQnYccwqs8s7QVAQEXIgf/amUF3e4W0+AMnMk31h7bnLC9ZpT/VYOl 1aAGi+dy/pjNdOSyfGbofta14gtqDBH0Ugd2AG8qy6C21wPDARBU/pZN//PV08Lr VBN7MkrYehXN9zWZbVEFKgyusprHPws02rJsgyZ0EQl3b4dz7ycea0GZezalsy1A RAOYRDzZLEf0m8wNApURj5fe5CFX83PVrjGiffGKUqZkO7qz4Kl5MdmxuzXx6HVC CK/WM3J3aO3TW+fYITTPjhJtiZEbvkO76rJmCMUQiC1aB76vN2qhGWUsft3T+7ge ziI2nFdBBsaVam39ujl8zkwUu576lup78pLdPnnE5rK8mhQ3KjYrrg== =bWL0 -----END PGP SIGNATURE----- --QTprm0S8XgL7H0Dt--