[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for PGP [Virus checked (@MLP)] [Virus checked]


I don't understand the solution you propose at the end of the message of a fake entry. Thanks!

At 16:18 13.01.2002 +0300, you wrote:
hi there!

----- Original Message -----
From: "Peter Marschall" <peter.marschall@mayn.de>
To: <openldap-software@OpenLDAP.org>
Sent: Sunday, January 13, 2002 1:33 PM
Subject: Re: ACL for PGP [Virus checked (@MLP)] [Virus checked]

> Hi,
> On Friday 11 January 2002 10:48, you wrote:
> > The implemented schema works perfectly for all PGP applications
> > (certification, encryption,... anything), the only thing that stops me
> > really substituting the PGP KeyServer with the OpenLDAP is the
> > access. I sniffed the packages, however I don't get any hints of the
> > denial, because if the PGP client doesn't have writing permissions it
> > even bind to the LDAP server (the LDAP server response is just a success
> > acknowledgement instead of the normal response with the basedn to bind).
> > is really strange. I'm trying to ask NAI what's happening because if
> > give the option of connecting the clients to this kind of servers they
> > SHOULD give support for these errors.
> If you trace the connections you should be able to find out, to which
> objects the PGP clients wants to have which kind of access (search,
> read, write, ..)
> This information should be sufficient to build more restrictive ACLs
> than you have now.

JFYI - if you are talking about how native NAI client accesses LDAP
It does not need any writable access permission, because it using LDAP_ADD
just to inform PGP keyserver about arriving key. All processing are hold by
keyserver itself - process ascii armoured key, get all attributes from this
key to create a searcheable entry in the database and write this entry along
with armoured key(as children) to directory. So, it almost impossible to use
pure OpenLDAP server to process all request from NAI client - first of all
because you will search for some attributes in the entrie when all keys are
stored as children to this entries. You can create a single directiry entry
that holds all attributes - pgpcertid,.., and pgpkey itself, but anyway -
you must process incoming key to parse it - and it is not an openldap
function, because you must use a PGPSDK or openPGP library to do this.
 This information from my resarch of NAI PGPkeyserver about 3 year ago.
Something can be changed, but i'm sure that you MUST NOT give an write
permission to ACTIVE_DN directory tree, because it break all security - you
can easy create entry with fake pgpkey attribute, like pgpid and user will
forced to check every search response for really valid entries manually.

Alejandra Moreno Espinar
at rete ag

mailto:alejandra.moreno@atrete.ch, http://www.atrete.ch
snail mail: Oberdorfstrasse 2, P.O. Box 674, 8024 Zurich, Switzerland
voice: +41-1-266 55 55, direct: +41-1-266 55 91, fax: +41-1-266 55 88