[Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()'
Ludovic Courtès
ludovic.courtes at laas.fr
Wed Apr 11 18:46:37 CEST 2007
Hi,
Daniel Kahn Gillmor <dkg-debian.org at fifthhorseman.net> writes:
> For example, if foo.example.com runs an LDAP service as a
> non-privileged user (STARTTLS-enabled, of course), i'd prefer that the
> uid on the key used was something like
>
> ldap://foo.example.com/
>
> and not just "foo.example.com". Otherwise, a compromised LDAP service
> could masquerade as other services on the same machine.
>
> I'm not sure that a URI is the right thing to put there, but some
> indication of the service in particular is probably worth considering.
It feels strange to me to fill the user ID packet with something that is
not an RFC822 mail name, even though this is just a convention.
The Debian archive keys, for instance, contain a regular mail name, not
just "http://www.debian.org/" or some such. The textual part (e.g.,
"Etch Stable Release Key") proves to be quite useful since it conveys
additional information. Of course, that information could be made part
of an appropriately crafted URI (e.g.,
"http://www.debian.org/releases/etch/"), but that would be less
user-friendly... and less conventional.
So I don't know what would be best for `openpgp_key_check_hostname ()'.
Thanks,
Ludovic.
More information about the Gnutls-help
mailing list