Re: Successful LDAP signing test

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Fri, 19 Feb 2010 23:49:32 -0800 (PST)

On Fri, 19 Feb 2010, Murray S. Kucherawy wrote:
> So the next question is: Which of the things you tried is actually
> easier for an LDAP administrator to do? I'm fine with supporting
> DER-style keys for LDAP (and probably SQL and maybe Sleepycat) but we
> also need to consider that flat files can't use anything with linefeeds,
> so all-on-one-line keys will have to be supported as well.
>
> Maybe we need a "PrivateKeyFormat" parameter that tells it how to
> interpret whatever it gets back from the KeyTable?

Another issue is that the "secretkey" parameter to libopendkim's
dkim_sign() function expects a PEM-formatted key (which wasn't documented,
though I've now fixed that). Changing it to require DER-formatted keys
might make upgrading a pain for a lot of people that just use the library.

I suppose we could include a utility function for converting PEM to DER if
we make that change, though there's a potential for user mistakes when
adding that bit of complexity there.

We might be able to have dkim_sign() auto-select PEM/DER based on whether
or not the first five bytes are "-----", but I'm not sure how safe that
is.
Received on Sat Feb 20 2010 - 07:49:56 PST