[Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check

help-gnutls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()'

From:	Ludovic Courtès
Subject:	[Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()'
Date:	Wed, 11 Apr 2007 18:46:37 +0200
User-agent:	Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)

Hi,

Daniel Kahn Gillmor <address@hidden> writes:

> For example, if foo.example.com runs an LDAP service as a
> non-privileged user (STARTTLS-enabled, of course), i'd prefer that the
> uid on the key used was something like
>
>  ldap://foo.example.com/
>
> and not just "foo.example.com".  Otherwise, a compromised LDAP service
> could masquerade as other services on the same machine.
>
> I'm not sure that a URI is the right thing to put there, but some
> indication of the service in particular is probably worth considering.

It feels strange to me to fill the user ID packet with something that is
not an RFC822 mail name, even though this is just a convention.

The Debian archive keys, for instance, contain a regular mail name, not
just "http://www.debian.org/"; or some such.  The textual part (e.g.,
"Etch Stable Release Key") proves to be quite useful since it conveys
additional information.  Of course, that information could be made part
of an appropriately crafted URI (e.g.,
"http://www.debian.org/releases/etch/";), but that would be less
user-friendly... and less conventional.

So I don't know what would be best for `openpgp_key_check_hostname ()'.

Thanks,
Ludovic.

[Prev in Thread]

Current Thread

[Next in Thread]

[Help-gnutls] Semantics of `gnutls_openpgp_key_check_hostname ()', Ludovic Courtès, 2007/04/09
- [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()', Simon Josefsson, 2007/04/11
  - Re: [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()', Daniel Kahn Gillmor, 2007/04/11
    - [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()', Ludovic Courtès <=
    - Re: [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()', Daniel Kahn Gillmor, 2007/04/11
    - [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()', Simon Josefsson, 2007/04/12
    - [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()', Ludovic Courtès, 2007/04/12
    - [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()', Simon Josefsson, 2007/04/12
    - [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()', Ludovic Courtès, 2007/04/12
    - OpenPGP certificate verification for TLS connections [Was: Re: [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()'], Daniel Kahn Gillmor, 2007/04/12
    - [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Ludovic Courtès, 2007/04/13
    - Re: OpenPGP certificate verification for TLS connections [Was: Re: [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()'], Rupert Kittinger-Sereinig, 2007/04/13
    - [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Ludovic Courtès, 2007/04/16
    - Re: [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Rupert Kittinger-Sereinig, 2007/04/16

Prev by Date: [Help-gnutls] Re: Certificate list size in `gnutls_certificate_get_peers ()'
Next by Date: Re: [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()'
Previous by thread: Re: [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()'
Next by thread: Re: [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()'
Index(es):
- Date
- Thread