HKP keyservers over SSL

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Mar 12 20:14:18 CET 2009 

> A few weeks ago, I added support for SSL to the HKP keyserver handler  
> (gpg(2)keys_hkp) to help test some new keyserver work that is going  
> on.  (Though "Added" is a bit of a strong term - it's really just 4-5  
> lines of code to tell libcurl to accept SSL.)  Anyway, Werner pointed  
> out that we may want to do something more than that.  After all, gpgsm  
> manipulates X.509 certificates for lunch.

There is also RFC 5081, which implements the use of OpenPGP certificates
for TLS authentication.  If there's a better place for rollout of that
standard than OpenPGP keyserver queries, it doesn't spring immediately
to mind.

> So, let's talk about it a bit:  How can we do something smart here,  
> design-wise?  It would be nice to also support client auth, and not  
> just the standard server validation SSL test.

We can support client authentication with additional curl arguments as
well, via CURLOPT_SSLCERT and CURLOPT_SSLKEY.  It'd be preferable to
pass something like a named pipe to the latter argument before feeding
it the key, to avoid writing the key to the filesystem.

> Plumbing-wise, this may be a bit tricky.  libcurl itself isn't really  
> built to take certificates from anything other than a file.  It  
> supports multiple SSL engines (OpenSSL, NSS, GnuTLS) and the  
> "certificate from a file" concept is universal.

I don't see any significant problem with writing certificates to a
temporary file for this purpose, actually (i suppose there is the
potential cleanup hassle in weird corner-case failures).  Writing keys
to a file seems more problematic, though.

> My understanding is  
> that there is a way to manipulate the SSL connection (including  
> specifying certificates), but that is OpenSSL specific and wouldn't  
> work with one of the other backends.

We're already specifying certificates via --keyserver-options
ca-cert-file, and that works with the gnutls backend, fwiw.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090312/4eaeb507/attachment.pgp>

More information about the Gnupg-devel mailing list