This article describes how to configure the Verified Directory for PGP Universal Server 2.5 and above. This allows internal users to manage the publishing of their own public keys. The PGP Verified Directory serves as a replacement for the PGP Keyserver product.
HOW TO: Configure the PGP Verified Directory on PGP Universal Server
The PGP Verified Directory gives you the option of hosting a Web-accessible keyserver for the public keys of your internal or external users. This feature is optional; you do not have to enable it. You can choose whether to allow your internal users or external users, or both, to submit their keys.
The PGP Verified Directory feature is also part of the replacement for the PGP Keyserver product. It allows users running older PGP client software not directly supported by PGP Universal Server to submit their keys.
The PGP Verified Directory sends verification messages to the email addresses on keys submitted to it. If the key owner responds to the verification message with permission to add the key, then the key is added to the directory. This approach keeps the PGP Verified Directory free of useless keys and protects users privacy by foiling the upload of bogus keys that use their email addresses.
Published user keys are signed by another key. Keys submitted by internal users are signed by the Organization Key attached to the PGP Universal Server; keys submitted by external users (also called directory users) are signed by the Verified Directory Key.
|Note: You must add a Verified Directory Key to the PGP Universal Server before you allow users outside your managed domain to submit keys.
The PGP Verified Directory also lets users search the directory through a web interface for the public keys of persons to whom they want to send secured messages.Once the PGP Verified Directory accepts an uploaded key, the verified key material is shared with the keyserver, to be used in encrypting message.
Enabling the PGP Verified Directory
- On the Services/Verified Directory card, click the Enable button to enable the service.
- To disable the PGP Verified Directory service, click the Disable button on the Verified Directory card.
Configuring the PGP Verified Directory
- On the Services/Verified Directory card, click the Edit button.
The Edit Verified Directory screen appears.
- The Interface tab is displayed by default.
- In the Public URL field, enter the PGP Verified Directorys network name. Directory users access the PGP Verified Directory using this URL. The default URL is the hostname of the server, and the default port is port 80. You may want to change the URL, depending on your network configuration. By default, SSL is turned off. If the PGP Verified Directory runs on an interface with SSL, use HTTPS, and not HTTP, for the public URL. If the port you choose is not the default, add the number to the end of the URL.
- In the Interface field, select the appropriate interface for the PGP Verified Directory from the drop-down list.
- In the Port field, enter a port number for the PGP Verified Directory to listen on or keep the default setting.
The above two fields establish the interface and port on which the PGP Verified Directory will be established.
- Put a check in the SSL checkbox to require that connections to the PGP Verified Directory be over SSL.
- Click the plus sign icon to the right of the Edit field to add another network interface, and select the appropriate interface, port, and SSL information.
- Click the Options tab to specify key and user interaction settings.
- Establish key submission criteria for internal users:
Allow Submission. When checked, users can submit their public keys to the PGP Verified Directory. When unchecked, they cant. You can choose whether internal or directory users can submit their keys. Internal users are inside your managed domain; directory users are users outside your managed domain.
Vetting Method. Choose a method for determining whether or not the owner of a submitted key agrees to it being posted in the PGP Verified Directory.
Implicit Method. Anyone who submits a key is by default trusted. Manual means the PGP administrator will manually approve or disapprove all submitted keys (the default). Email means an email message will be sent and must be responded to.
- In the Re-email Timeout field, enter a timeout value for resending email. The default is 24 hours. If for some reason a users key is submitted multiple times, the timeout value specifies how often the user will receive the vetting email in response. The default of 24 hours means that users will only receive the email once every 24 hours.
- In the Email Token Timeout field, enter the timeout value for the expiration of the email token. The default is 336 hours (14 days).
- In the Signature Expiration field, enter the expiration time for the Organization Keys signature. The default is 6 months.
When signature expiration time period is reached, the users key will automatically be re-verified using the selected vetting method.
- In the Max Search Results field, enter the maximum number of results users receive for a web-based search. The default number of results returned for
web-based searches is 25.
- Click the Administrator tab to create a message to directory users that will appear when there is a problem with the service.
- Click Save.
The settings you established are saved.
Clustering and the PGP Verified Directory
Internal user keys submitted through the PGP Verified Directory are replicated throughout a cluster. However, submitted external user keys are not replicated.
To make sure these keys are replicated across your cluster, you can manually add PGP Verified Directory user keys to the external user list. Export the PGP Verified Directory user keys, then re-import them into the External Users page. This means that PGP Verified Directory users no longer control their keys, and those keys will not be published to the keyserver, but it does ensure the keys are replicated across the cluster.
You can also make sure external user PGP Verified Directory keys are always available by designating one non-cluster PGP Universal Server to function as a dedicated PGP Verified Directory. Make sure that you add that PGP Universal Server to your list of searchable keyservers for any mail policy rule that requires it.