LDAP keyserver patch 2

David Shaw dshaw at jabberwocky.com
Mon Sep 24 04:28:02 CEST 2001

Hi folks,

Here's version 2 of the generic keyserver support for GnuPG.  For most
people this means "LDAP keyserver support" :)

Significant changes since version 1:

* GnuPG now passes the keys to get/send via pipes, rather than using
  the command line.  Since anyone can run ps, this was done to avoid
  information leakage to other users logged into the same box as
  you.  What keys you are fetching from a keyserver is nobody's
  business but yours.

* Key modification time is shown if verbose is on (see below).

* A new config file option: "keyserver-options".  This is a space or
  comma delimited string that gives options for the keyserver fetcher.

  Current options are:

      give more information about what the keyserver fetcher is doing.
      Give "verbose" twice for even more information.

      similar to the --fast-import option when importing from a file.
      The import happens without updating the trustdb.  This makes the
      import faster, but you'll have to run gpg --update-trustdb

      The LDAP keyserver has the notion of a "disabled" key.  This is
      a key that for whatever reason, the keyholder does not want the
      server to give out.  This feature lets you bypass the lockout
      and get the key anyway.  I'm somewhat torn as to whether this is
      a good idea.

I welcome comments on the include-disabled issue, and whether it would
be useful to have an include-revoked, and by default not fetch revoked

Some stuff from last time:

To use the new feature, you need to tell GnuPG which keyserver helper
to call.  Do this by adding the protocol to the keyserver names in
your options file.  For example:

 # Old HKP keyservers still work
 keyserver x-hkp://wwwkeys.pgp.net

 # New LDAP keyserver
 keyserver ldap://certserver.pgp.com

 # Email keyserver
 keyserver mailto://pgp-public-keys@keys.pgp.net

For backwards compatibility, if you don't specify a protocol, GnuPG
assumes it's a HKP keyserver.  For HKP, the patch will still call the
internal HKP keyserver code, but I hope to move the HKP code to a
separate application at some point.

After applying the patch via the usual patch -p1, you should run
automake and autoconf to rebuild configure and the makefiles.  After
that, the usual ./configure and make should do it.

The patch is against 1.0.6 (not 1.0.6a), and should be considered
experimental for now.  As always, comments welcome.

Get the patch at:


   David Shaw  |  dshaw at jabberwocky.com  |  WWW http://www.jabberwocky.com/
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 536 bytes
Desc: not available
Url : /pipermail/attachments/20010924/2a006cec/attachment.bin

More information about the Gnupg-devel mailing list