RE: PGP kerserver infrastructure

[L. Sassaman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 30 Jun 2000, Peter Francis wrote:

> We are currently running a globally load balanced network with
> dedicated servers available in 15 (and rising) locations in the US and
> Europe.  We would be happy to run a number of keyservers on our
> network.

Wonderful!
 
> We are using the Foundry ServerIron's global server load balancing
> which uses a TCP syn/ack based round trip time metric to direct a
> client to the "closest" site.
> 
> Does the key-service answer on a specific TCP port?

Yes. HKP Servers (which use a specialized HTTP connection) generally
listen on tcp 11371. You can look at http://web.mit.edu/marc/www/pks/ for
Marc Horowitz's original pksd, or at http://www.highware.com/main-oks.html
for Highware's OpenKeyServer, or you can go to
http://web.mit.edu/network/pgp.html to get NAI's Certserver. (The version
there is 2.5.1. There is an upgrade version, 2.5.2, that you will need to
patch to: http://www.tis.com/support/hotfix.html).

NAI's Certificate Server only runs on Solaris and NT, but provides an LDAP
and LDAPS interface (389 and 689, respectively by default). LDAP is a
nicer interface for searching keyservers.
 
> If this sounds feasible please point us at info on how to set up a key-server.

It's a generally straight-forward procedure. Once you have them up and
running, I am sure the folks on the flame.org list will be happy to answer
any questions about replication you might have.

__

L. Sassaman

System Administrator                |  
Technology Consultant               |  "Common sense is wrong." 
icq.. 10735603                      |  
pgp.. finger://ns.quickie.net/rabbi |    --Practical C Programming







-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP Encrypted Email Preferred.

iD8DBQE5XPHnPYrxsgmsCmoRAtDhAJ4uk4zGK+wBBX1yqJ5rBM0NkSc7TwCg0RJc
W5Qsq+jF3dUu/s1jihcWUb8=
=Zv3w
-----END PGP SIGNATURE-----