dirmngr

[Werner Koch]

[sorry for approving this so late]

On Thu, 1 May 2003 20:48:37 -0400, Karsten Künne said:

> dirmngr? I'm especially interested in http support for CRL-fetching because 
> all of our certs have a "http"-URI as CRL-distributionpoint. I also found out 
> that dirmngr takes the DN from a cert literally and tries to look that up in 
Not much I fear.  HTTP access should be too hard because we have all
the code for a HTTP client already in GnuPG.  [If you urgently need
this, you may want to ask the author's company or mine for an offer.]

> ldap which in our case doesn't work because our ldap base is 
> "dc=rentec,dc=com" whereas the certs contain "o=rentec,c=us". It also takes 
> the famous (or infamous?) "Email" RDN and makes something strange out of it, 
> for instance, "Email=ca@rentec.com" becomes 
> "email=#63614072656E7465632E636F6D". It would be nice to have some kind of 

Its not that strange, just another representation.  However, it shoudl
use the OID on the left side.

> (configurable) mapping between certificate DN's and ldap DN's.

Interesting idea.

> Another problem is that dirmngr doesn't use the certs which gpgsm already 
> knows. For instance, if I want to fetch a CRL from ldap dirmngr tries to 
> retrieve the CA certificate from ldap but this certificate is already in 
> gpgsm's pubring.kbx. There is no need to fetch that from ldap again (which in 

That seems to be a bug.  There is a mechanism defined which allows
dirmngr to ask back for a certificate.  OTOH, if a CRL has already
been retrieved getting the CA certificate again is not much of a
performance problem.


Shalom-Salam,

   Werner

-- 
  Nonviolence is the greatest force at the disposal of
  mankind. It is mightier than the mightiest weapon of
  destruction devised by the ingenuity of man. -Gandhi