LDAP back-end

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP back-end

C.J. Adams-Collier KF7BMP
Hey folks,

I'm setting up a CA, and I plan to keep the certs on an LDAP server.
I've been looking around for a PGP keyserver, and it looks like SKS is
the most well-maintained system available.

I've written a bit of code here and there, and I can probably implement
an LDAP back-end if it has not yet been implemented.  I haven't read
through the codebase yet, so I will go do that here when I have some
free time.

If such a feature is already implemented (or being implemented), could
someone bring me up to date?

Thanks in advance,

C.J.


_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: LDAP back-end

Joseph Oreste Bruni-3
GnuPG supports an LDAP interface directly without needing to use SKS.  
If you are using OpenLDAP the schema extensions can be found easily  
enough. I did this for a small, private key server in my company for  
awhile until my needs outgrew an LDAP implementation.

The downside of using LDAP for a keyserver is that values are replaced  
rather than merged as is preferred by the nature of signatures. A key  
signed by you will be overwritten by the same key signed by me if I  
first don't take care to update my copy of the key with the keyserver  
version first, resulting in lost signatures, preferences and other  
changes.

BerkeleyDB is nice (it is very fast) but does have its quirks. Perhaps  
you could spend that energy redoing the backend using SQLite instead  
of LDAP. I don't know if anyone has provided language bindings for  
SQLite in Ocaml, though.

Joe

Sent from my iPhone

On Jun 20, 2010, at 11:26 AM, "C.J. Adams-Collier"  
<[hidden email]> wrote:

> Hey folks,
>
> I'm setting up a CA, and I plan to keep the certs on an LDAP server.
> I've been looking around for a PGP keyserver, and it looks like SKS is
> the most well-maintained system available.
>
> I've written a bit of code here and there, and I can probably  
> implement
> an LDAP back-end if it has not yet been implemented.  I haven't read
> through the codebase yet, so I will go do that here when I have some
> free time.
>
> If such a feature is already implemented (or being implemented), could
> someone bring me up to date?
>
> Thanks in advance,
>
> C.J.
>
> _______________________________________________
> Sks-devel mailing list
> [hidden email]
> http://lists.nongnu.org/mailman/listinfo/sks-devel

_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: LDAP back-end

David Shaw
On Jun 20, 2010, at 3:48 PM, Joseph Oreste Bruni wrote:

> GnuPG supports an LDAP interface directly without needing to use SKS. If you are using OpenLDAP the schema extensions can be found easily enough. I did this for a small, private key server in my company for awhile until my needs outgrew an LDAP implementation.
>
> The downside of using LDAP for a keyserver is that values are replaced rather than merged as is preferred by the nature of signatures. A key signed by you will be overwritten by the same key signed by me if I first don't take care to update my copy of the key with the keyserver version first, resulting in lost signatures, preferences and other changes.

Note that the LDAP==non-merging, PKS==merging, is just an accident of history.  GnuPG doesn't particularly care if a keyserver is merging or not, as it is not dependent on the protocol, and in fact the original LDAP server was a merging keyserver.  If you wrote a LDAP handler for SKS, it would be a merging keyserver just like SKS using the PKS handler is.

David


_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel