Please test :)

David Shaw dshaw at jabberwocky.com
Fri Aug 14 04:21:46 CEST 2009


Hi everyone,

I'd appreciate it if people could test two particular things in the  
keyserver support:

1) LDAP now works with DNS service discovery.  So, if you have keys in  
a ldap keyserver, you can put something like

_pgpkey-ldap._tcp       SRV     0 0 389 my-ldap-keyserver.example.com.

in your DNS and GPG will know that for addresses at example.com, it can  
query ldap://my-ldap-keyserver.example.com for keys.

This is very similar to the current support for ldap where GPG will  
look for a ldap keyserver named "keys" (i.e. for address at example.com,  
it looks for ldap://keys.example.com), but is no longer required to be  
named "keys".  If the SRV record does not exist, GPG will still look  
for the "keys" name for backwards (and PGP) compatibility.

Setting "auto-key-locate ldap" turns this feature on.  If you use an  
email address as a recipient, and do not have a key for that  
recipient, the key location feature will kick in and try to find the  
key for you.

Incidentally, it is legal to do this:

_pgpkey-ldap._tcp.example.com.       SRV     0 0 389 keyserver.pgp.com.

That is, point to a non-local (but public) keyserver.  It just means  
"to find keys for addresses @example.com, consult the keyserver at  
ldap://keyserver.pgp.com".

2) HKPS - in other words regular old HKP over SSL (i.e. https).  So  
far as I know, the only hkps server in existence right now is hkps:// 
zimmermann.mayfirst.org.

David




More information about the Gnupg-devel mailing list