OpenLDAP schema to store OpenPGP keys?
walter.haidinger at gmx.at
Thu Feb 23 01:04:10 CET 2006
On Wed, 22 Feb 2006, David Shaw wrote:
> It's a bit more complex than that - what LDAP (and any keyserver) does
> is provide the key itself. That key is then imported and lives
> locally from then on until it is deleted. There would need to be
> cleanup after use or keys would be left behind.
I see. Obviously not a problem for public keys put definitely
for private... Should have thought a bit more about how GnuPG
works first. I guess I was too enthusiastic about the soon-working
LDAP keyserver... Btw, I'll test the unique flag later today.
> Are you looking for a remote keyring?
> That's slightly different than a keyserver, or at least the thing
> that GnuPG calls a keyserver.
Now that you mention it: acutally yes, for private keys. I've not done
any research about that yet. Just came to my mind during the discussion
in this thread.
Does GnuPG support remote keyrings?
> 1.4.3. I've added the new feature, so you could probably grab the
> gpgkeys_ldap.c from svn and use it in your 1.4.2 if you like.
Thanks. I was about to ask if I can get it from the SVN tree early...
You're just too quick! ;-)
> There aren't significant changes to the keyserver protocol between
> the two.
> Just replace the existing gpgkeys_ldap.c with the new one and
I'll try a full checkout, though. I've read about another option
which allows for keyserver failover, 'query' IIRC.
> This is just for testing though - the actual feature needs a little
> more work before 1.4.3 release - the binddn and bindpw is global for
> all keyservers, so if someone selects a different ldap keyserver
> without removing the binddn and bindpw, they likely will be refused
> (bad password). This can happen automatically with keyserver URLs.
> What is really needed is a .netrc-style "ldap-password" file that
> contains binddn and bindpw for different machines.
This is a general limitation, not to be solved by the ldap code,
IMHO. AFAIK, 1.4.2 only supports a single keyserver, right?
Therefore, any keyserver options apply to the one set. There should
be a mechanism to specify multiple keyservers, each with its own
option set, binddn and bindpw just being one of them.
More information about the Gnupg-users