Certificate directorys

lst_hoe02(a)kwsoft.de wrote:

Have i got it right that you plan to operate some sort of LDAP directory
as "cache" for numerous others like ldap://directory.bridge-ca.org and
others?

Yes LDAP or HTTP (see for example rfc4387)

It's similar to a PGP key server.

> If Djigzo get really widely used this can get expensive i guess...

A certificate is not that big and you only need to retrieve it once but
yes if it becomes really popular you'll need multiple servers,
redundancy etc.

Hm, it would not be that security sensitive as the Djigzo instances do
the querys should still check if the certificates which they get are
valid, so one could start with some sort of VPS with around 10Euro/month
as server.

We have our own rack so we host our own server.

Yes you are right in that the Djigzo server should decide whether a
certificate is trusted or not (the owner decides which roots to trust)
so you don't need to trust the directory

> But the main question would be how to get the certificates in the store.

I was thinking of the following. The directory server trusts some of the
main CAs (like Verisign, StartSSL, CACert etc). If someone starts a
search for a certificate the directory cache will checks it's cache and
also checks all external servers (Verisign, CACert etc) for matching
certs. If an external server has a matching cert it will be stored in
the cache. A user can also upload a certificate. If the certificate is
trusted (ie issued by a root trusted by the directory cache) it will be
automatically accepted. If the certificate is not trusted the user has
to finish a captcha test (to prevent someone from 'spamming' the
directory). Or if you are an approved user you can be allowed to upload
certificates without a captcha test.

Kind regards,

Martijn Brinkers

ยทยทยท

--
Djigzo open source email encryption

Zitat von Martijn Brinkers <martijn(a)djigzo.com>:

lst_hoe02(a)kwsoft.de wrote:

Have i got it right that you plan to operate some sort of LDAP directory
as "cache" for numerous others like ldap://directory.bridge-ca.org and
others?

Yes LDAP or HTTP (see for example rfc4387)

I think HTTP and a RDBMS would be even easier in this case...

It's similar to a PGP key server.

> If Djigzo get really widely used this can get expensive i guess...

A certificate is not that big and you only need to retrieve it once but
yes if it becomes really popular you'll need multiple servers,
redundancy etc.

Hm, it would not be that security sensitive as the Djigzo instances do
the querys should still check if the certificates which they get are
valid, so one could start with some sort of VPS with around 10Euro/month
as server.

We have our own rack so we host our own server.

So that's a whole other league and it should be possible even on mid-scale.

Yes you are right in that the Djigzo server should decide whether a
certificate is trusted or not (the owner decides which roots to trust)
so you don't need to trust the directory

> But the main question would be how to get the certificates in the store.

I was thinking of the following. The directory server trusts some of the
main CAs (like Verisign, StartSSL, CACert etc). If someone starts a
search for a certificate the directory cache will checks it's cache and
also checks all external servers (Verisign, CACert etc) for matching
certs. If an external server has a matching cert it will be stored in
the cache. A user can also upload a certificate. If the certificate is
trusted (ie issued by a root trusted by the directory cache) it will be
automatically accepted. If the certificate is not trusted the user has
to finish a captcha test (to prevent someone from 'spamming' the
directory). Or if you are an approved user you can be allowed to upload
certificates without a captcha test.

There are some other questions to solve:
- Should this be public available or Djigzo/Sign-in only?
- It should only allow full e-mail address direct matching, no
wildcards etc. to prevent address harvesting

But beside this it would solve one of the biggest S/MIME problems
today. It would be somewhat similar to the mentioned
www.bridge-ca.org, but without paied membership?

Regards

Andreas