Hi, Daniel Kahn Gillmor <[EMAIL PROTECTED]> writes:
> For example, if foo.example.com runs an LDAP service as a > non-privileged user (STARTTLS-enabled, of course), i'd prefer that the > uid on the key used was something like > > ldap://foo.example.com/ > > and not just "foo.example.com". Otherwise, a compromised LDAP service > could masquerade as other services on the same machine. > > I'm not sure that a URI is the right thing to put there, but some > indication of the service in particular is probably worth considering. It feels strange to me to fill the user ID packet with something that is not an RFC822 mail name, even though this is just a convention. The Debian archive keys, for instance, contain a regular mail name, not just "http://www.debian.org/"; or some such. The textual part (e.g., "Etch Stable Release Key") proves to be quite useful since it conveys additional information. Of course, that information could be made part of an appropriately crafted URI (e.g., "http://www.debian.org/releases/etch/";), but that would be less user-friendly... and less conventional. So I don't know what would be best for `openpgp_key_check_hostname ()'. Thanks, Ludovic. _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
