keyserver

Olaf Gellert olaf.gellert at intrusion-lab.net
Tue Nov 7 10:12:07 CET 2006


Joseph Oreste Bruni wrote:
> I considered the use of LDAP since I just recently built an OpenLDAP
> server for us to use for centralized user authentication and it would
> fit right in. But, from what I understand about using LDAP as a
> keyserver, one would lack the key-data merging capability since LDAP
> servers don't know about OpenPGP-specific data.

Don't know.

> I was able to get PKS to compile on Linux and it works. My problem was
> initially with trying to build on OS X since the db2 configure script is
> so old that it doesn't recognize Darwin. I pulled the pks-current code
> which uses the DB4.1 database and got it working on Linux. But it
> doesn't support some of the more recent OpenPGP features (attributes).
> (I'm not sure that that is a show-stopper, though.)

It is. PKS does not support multiple subkeys and some
other features of modern keys. Actually nearly all
keyserver administrators switched to SKS (it syncs
fine and supports all recent keys).

> SKS seems good but the use of yet another oddball language (ocaml) is
> annoying and I ran into problems with it trying to compile on SuSE Linux
> -- I'll bring those issues up on the SKS list if anyone there is still
> participating.

Should run on SuSE without too many problems (I have
installed SKS on a SuSE system). Hopefully you have
the correct version of the OCAML-Compiler etc. Just
ask at the SKS mailing list, it is usually low traffic
but very responsive.

> I noticed, David, that your name is one of the contributers to the PKS
> project. I was hoping that the GnuPG project might "adopt" the idea of a
> keyserver and run with it, keeping it up to date. Has the idea of public
> keyservers run out of steam?

I guess not. There are some problems with recent public
keyservers (which are not technical problems but legal
problems, eg. privacy of the data (because keys actually
cannot removed or blacklisted)), but this does not
matter for a private key server. But a keyserver is
something completely different than GnuPG, so the
crypto gurus take care for GPG and some other gurus
develop key servers. Maybe a key server that supports
cryptography would need a team of both. Any takers? ;-)

Cheers, Olaf

-- 

Dipl.Inform. Olaf Gellert                   INTRUSION-LAB.NET
Senior Researcher,                      www.intrusion-lab.net
PKI - and IDS - Services        olaf.gellert at intrusion-lab.net




More information about the Gnupg-users mailing list