OpenLDAP schema to store OpenPGP keys?

Walter Haidinger walter.haidinger at
Tue Feb 21 01:15:08 CET 2006

On Mon, 20 Feb 2006, David Shaw wrote:

> LDAP had TLS support back in 1.3.5.  HTTP and FTP just got TLS support
> in 1.4.3.  At one point, I started documenting the new options and
> stopped because the man page would be enormous.  At some point, I'll
> probably make a "gpgkeys" man page so as to not grow the main "gpg"
> page too much.

Well, at least some hints that tls support exists at all would have
been useful! ;-)  (*)

> I don't know that LDAP is a good *public* keyserver as things stand.
> By its nature, even if some sort of authentication was added, the
> server would only carry keys that were explicitly submitted to it.
> Most other keyservers synchronize with their peers automatically to
> carry a global keyring.


> A LDAP keyserver would be useful as a company keyserver where people
> inside the company IP range or an administrator can add keys, and the
> rest of the world can just read. 

That eliminates tcp-wrapping. You'd have to grant write access by 
using the peername statement in the access <who> field, right? 

> Anyway, that is (more or less) how I was expecting LDAP to be used.  I
> never added LDAP auth because I wasn't sure exactly what was needed,
> and didn't want to implement it without some clear use case.

Well, how about the following for a different usage scenario:

It would be nice if all users could submit their keys, readable by 
all but delete only their own submitted keys. Thus, no dedicated 
administrator for key management would be required since the LDAP 
server itself doesn't require much administration after setup.


(*) No offense here, you've done a remarkable job so far!

More information about the Gnupg-users mailing list