Re: ACL for PGP [Virus checked (@MLP)] [Virus checked]

[Alejandra Moreno <alejandra.moreno@atrete.ch>]

Hi!

I don't understand the solution you propose at the end of the message of
a fake entry. Thanks!


At 16:18 13.01.2002 +0300, you wrote:
> hi there!
>
> ----- Original Message -----
> From: "Peter Marschall" <peter.marschall@mayn.de>
> To: <openldap-software@OpenLDAP.org>
> Sent: Sunday, January 13, 2002 1:33 PM
> Subject: Re: ACL for PGP [Virus checked (@MLP)] [Virus checked]
>
>
> > Hi,
> >
> > On Friday 11 January 2002 10:48, you wrote:
> > > The implemented schema works perfectly for all PGP
> applications
> > > (certification, encryption,... anything), the only thing that
> stops me
> from
> > > really substituting the PGP KeyServer with the OpenLDAP is
> the
> permission
> > > access. I sniffed the packages, however I don't get any hints
> of the
> exact
> > > denial, because if the PGP client doesn't have writing
> permissions it
> wont
> > > even bind to the LDAP server (the LDAP server response is just
> a success
> > > acknowledgement instead of the normal response with the basedn
> to bind).
> It
> > > is really strange. I'm trying to ask NAI what's happening
> because if
> they
> > > give the option of connecting the clients to this kind of
> servers they
> > > SHOULD give support for these errors.
> >
> > If you trace the connections you should be able to find out, to
> which
> > objects the PGP clients wants to have which kind of access
> (search,
> > read, write, ..)
> > This information should be sufficient to build more restrictive
> ACLs
> > than you have now.
>
> JFYI - if you are talking about how native NAI client accesses LDAP
> directory:
> It does not need any writable access permission, because it using
> LDAP_ADD
> just to inform PGP keyserver about arriving key. All processing are hold
> by
> keyserver itself - process ascii armoured key, get all attributes from
> this
> key to create a searcheable entry in the database and write this entry
> along
> with armoured key(as children) to directory. So, it almost impossible to
> use
> pure OpenLDAP server to process all request from NAI client - first of
> all
> because you will search for some attributes in the entrie when all keys
> are
> stored as children to this entries. You can create a single directiry
> entry
> that holds all attributes - pgpcertid,.., and pgpkey itself, but anyway
> -
> you must process incoming key to parse it - and it is not an
> openldap
> function, because you must use a PGPSDK or openPGP library to do
> this.
>  This information from my resarch of NAI PGPkeyserver about 3 year
> ago.
> Something can be changed, but i'm sure that you MUST NOT give an
> write
> permission to ACTIVE_DN directory tree, because it break all security -
> you
> can easy create entry with fake pgpkey attribute, like pgpid and user
> will
> forced to check every search response for really valid entries
> manually.

______________________________________________________________________
Alejandra Moreno Espinar
at rete ag

mailto:alejandra.moreno@atrete.ch, http://www.atrete.ch
snail mail: Oberdorfstrasse 2, P.O. Box 674, 8024 Zurich, Switzerland
voice: +41-1-266 55 55, direct: +41-1-266 55 91, fax: +41-1-266 55 88
_____________________________________________________________________