headers
Peter Gutmann | 12 Jan 2008 09:17
Picon
Picon
Picon
Favicon

Public-key distribution via HTTP

[CC'd to various lists who might be interested]

Someone recently asked on a security list whether there was a simple way of
putting your public key on a web server based on "a set of goals, hopefully
sufficiently unambitious, so one knows what one wants to do very precisely.
Given those, I suspect a decent spec replacing hundreds of pages of currently
'standard' and useless mechanism could be crafted in about 10 to 30 pages)".
My response was "You've just described RFC 4387 :-)".  The list reaction was
that no-one had known until then that this document even existed, so I'm
posting this to a couple of lists where people might find it useful.

Don't be mislead by the title (http://www.ietf.org/rfc/rfc4387.txt), it was
published under the auspices of PKIX but it's really "a simple, fairly
universal means of publishing your public key via HTTP".  The CACert folks
have set up a Wiki page to cover implementation info, feedback, and comments:
http://wiki.cacert.org/wiki/RFC4387.

(Please, no religious arguments over this: If you think it's useful, implement
it.  If not, ignore it).

Peter.
Permalink | Reply | 4 comments |
headers
Timothy J. Miller | 14 Jan 2008 15:27
Picon
Favicon

Re: Public-key distribution via HTTP

On Jan 12, 2008, at 2:17 AM, Peter Gutmann wrote:

> Someone recently asked on a security list whether there was a  
> simple way of
> putting your public key on a web server based on "a set of goals,  
> hopefully
> sufficiently unambitious, so one knows what one wants to do very  
> precisely.
> Given those, I suspect a decent spec replacing hundreds of pages of  
> currently
> 'standard' and useless mechanism could be crafted in about 10 to 30  
> pages)".
> My response was "You've just described RFC 4387 :-)".  The list  
> reaction was
> that no-one had known until then that this document even existed,  
> so I'm
> posting this to a couple of lists where people might find it useful.
>
> Don't be mislead by the title (http://www.ietf.org/rfc/ 
> rfc4387.txt), it was
> published under the auspices of PKIX but it's really "a simple, fairly
> universal means of publishing your public key via HTTP".  The  
> CACert folks
> have set up a Wiki page to cover implementation info, feedback, and  
> comments:
> http://wiki.cacert.org/wiki/RFC4387.
>
> (Please, no religious arguments over this: If you think it's  
> useful, implement
> it.  If not, ignore it).
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel A. Nagy | 17 Jan 2008 14:49

Re: Revocability semantics

Dear WG,

I am pretty sure that my interpretation of the standard is correct, but I
would like to
a) have it confirmed and
b) make it known to other implementers

The Revoacble flag as specified by RFC4880, Section 5.2.3.12, when set to 0,
only forbids revocation by the issuer, but not by other revokers.

In particular, if a revocation key (5.2.3.15) is present in addition to the
above flag, it means that the designated revoker is allowed to revoke the
certificate, but the issuer is not.

The context is the implementation of IOU notes as self-signatures on PGP
public keys, so that the PKS infrastructure can be used for their
dissemination (and, thus, for credit reputation tracking). More on this at
the upcoming FC2008, in Cozumel. ;-)

--

-- 
Daniel
Permalink | Reply | 5 comments |
headers
Daniel A. Nagy | 17 Jan 2008 15:05

Face to face meeting in Cozumel?

Dear WG,

I have noticed, that several active members of the WG are going to attend
FC2008 in Cozumel, Mexico.

Would you be interested in an informal meeting to discuss some
OpenPGP-related issues face to face? A restaurant or a lounge in the hotel
would be my preferred location.

As for myself, I would like to discuss the following (in this order of
importance):

- C library development. Currently, we have an orphaned(?) OpenCDK and an
  incomplete OpenPGP:SDK. A native C library would open the door for
  efficient, usable libraries for other languages (Perl, Python, Ruby,
  PHP, etc.), so I feel that this is very important. I am counting on Ben
  Laurie's participation for this one.

- Reference implementations, test vectors.

- Exotic signature types and their possible uses, semantics (timestamp,
  notarization, standalone, etc.).

- Forward secrecy

Perhaps, others might have other topics that could benefit from face-to-face
discussion.

Cheers,
(Continue reading)

Permalink | Reply | 16 comments |
headers
Ben Laurie | 17 Jan 2008 17:09

Re: Face to face meeting in Cozumel?


Daniel A. Nagy wrote:
> Dear WG,
> 
> I have noticed, that several active members of the WG are going to attend
> FC2008 in Cozumel, Mexico.
> 
> Would you be interested in an informal meeting to discuss some
> OpenPGP-related issues face to face? A restaurant or a lounge in the hotel
> would be my preferred location.
> 
> As for myself, I would like to discuss the following (in this order of
> importance):
> 
> - C library development. Currently, we have an orphaned(?) OpenCDK and an
>   incomplete OpenPGP:SDK. A native C library would open the door for
>   efficient, usable libraries for other languages (Perl, Python, Ruby,
>   PHP, etc.), so I feel that this is very important. I am counting on Ben
>   Laurie's participation for this one.

Unfortunately I had to cancel Cozumel because of other commitments.

I do welcome the attention to OpenPGP:SDK, which is gradually getting
more complete. I'd be happy to find some other opportunity to meet - for
example, I am frequently in the Bay Area (next week, for example). Also,
I will be at NDSS and ShmooCon.

> - Reference implementations, test vectors.

+1
(Continue reading)

Permalink | Reply | 0 comments |
headers
Simon Josefsson | 17 Jan 2008 17:33
Favicon
Gravatar

Re: Face to face meeting in Cozumel?


nagydani <at> epointsystem.org (Daniel A. Nagy) writes:

> - C library development. Currently, we have an orphaned(?) OpenCDK and an

I'm not going to be in Cozumel.  In response to the '(?)', OpenCDK has
recently been updated (the 0.6.x series) after a long period of minimal
maintainance.  We are moving towards a LGPL version of libopencdk, which
was included in the core GnuTLS library git repository just a few days
ago.

/Simon
Permalink | Reply | 5 comments |
headers
Arturo 'Buanzo' Busleiman | 17 Jan 2008 17:47
Picon

Re: Face to face meeting in Cozumel?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I'd love to attend, specially now that the my OpenPGP Session Management for HTTP (Firefox/Apache)
is complete, but sorry :(

- --
Arturo "Buanzo" Busleiman
The Charlie Protas Project is on its way
Independent Security Consultant - SANS - OISSG
http://www.buanzo.com.ar/pro/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHj4a/AlpOsGhXcE0RCpIeAJ9CMD/GlnpDdsG4f6UdRJEh8fcHawCePMEA
2VmQciHhGp8rvkdRGKdfx4g=
=AjSK
-----END PGP SIGNATURE-----
Permalink | Reply | 2 comments |
headers
Derek Atkins | 17 Jan 2008 18:39
Favicon

Re: Face to face meeting in Cozumel?


"Arturo 'Buanzo' Busleiman" <buanzo <at> buanzo.com.ar> writes:

> I'd love to attend, specially now that the my OpenPGP Session Management for HTTP (Firefox/Apache)
> is complete, but sorry :(

I'm afraid I wont be in Cozumel, either.

-derek
--

-- 
       Derek Atkins                 617-623-3745
       derek <at> ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant
Permalink | Reply | 0 comments |
headers
Derek Atkins | 17 Jan 2008 18:45
Favicon

Rechartering the OpenPGP WG


Happy New Year everyone.

At the IETF in Vancouver last month Sam Hartman said that he'd
welcome a rechartering discussion to allow us to continue to
work.  So before I start writing up a charter and milestones,
please pipe up if:

1) You are working on a draft that you think should be in the WG
2) You are thinking of working on a draft in the near future
   that you think should be in the WG
3) You have a working item topic that you'd like the WG to handle
   but you're not working on a draft yet but would like to get
   someone to work on.

Obviously #1 and #2 take significant precedence over #3.  In
addition, please provide time estimates for how much work
you suspect the draft will take (so we can set up appropriate
WG milestones).

Please respond in the next week so I can collect the responses
and work on an updated WG Charter.

NOTE:  If you do not respond then your idea will not be included
in the charter.  If I hear nothing then the WG will just be closed,
which means you'll actually need to physically attend IETFs
to get a new WG chartered.

I look forward to hearing from you.
(Continue reading)

Permalink | Reply | 8 comments |
headers
Ian G | 17 Jan 2008 18:50

Re: Face to face meeting in Cozumel?


Arturo 'Buanzo' Busleiman wrote:

> ... the my OpenPGP Session Management 
> for HTTP (Firefox/Apache)

Que es?

iang
Permalink | Reply | 0 comments |

Gmane