[Date Prev][Date Next] [Chronological] [Thread] [Top]

The new (GPG/PGP)-LDAP interface


here is my idea on getting LDAP interface into GPG

             /------------ LDAP ------------ Directory    (search path)
    gpgClient                                    |
             \- LDAP -tmpdir-ldap- KeyMaintAPP - LDAP      (key
maintance path)

this is where for key maintance, a temp add is done to create a new
entry. The
KeyMaintApp reads this information, decode and proccesses it then asds
it into the 
normal key Directory.
but gpg uses the normal LDAP search to access information.

The tmpdir is not seperate from 'the directory' but just a different

gpgClient <--> LDAP <--- Directory.oc1 <--- LDAP <--> KeyMaintApp  
                 |-----> Directory.oc2 ----->|
The good thing about this idea is The KeyMaintApp requires Authoriztion
to access the directory.  The means attacks on the database is low.  The
only attack is Dos by filling the oc2 with junk. The KeyMaintApp will
filter out bad keymaint packet

the keymaint packet would have 
DN: seq=xxxx,id=XXXXXXXXXXXXXXXX,$(basekeymaint)
objectclass: keyMaint
pgpData: The normal pgp key packet
the ID in the DN is the signature ID of the pgp/gpg armor encoded packet

the KeyAuthApp would then read this packet parse the pgpData into a
normal LDAP directory packet and update "the Directory"

In order to make it semi compatable with pgp the first ldap request is
for pgpServerInfo.  Here the information returned will allow gpg to
determine hhow to continue. The existing pgp keyserver does not return a
attribute 'baseKeyMaint' this one will.

The only issue here is when should the KeyMaintApp run?  Does it poll
the directory?
should an "add" trigger a external event?

This just an idea of the day
Shaun Savage