OpenLDAP schema to store OpenPGP keys?

David Shaw dshaw at
Thu Feb 23 00:28:48 CET 2006

On Wed, Feb 22, 2006 at 11:02:10AM +0100, Walter Haidinger wrote:
> On Tue, 21 Feb 2006, David Shaw wrote:
> > > If GnuPG could also store secret keys (btw, can it? have never checked)
> > 
> > It's theoretically possible, but no keyserver works that way.
> Probably not for HTTP keyservers, but for LDAP offering strong
> authentication and TLS/SSL?
> A remotely accessible, single storage of secret keys could be quite 
> useful for some people. You wouldn't be required to carry the secret 
> keyring with you on usbsticks or else anymore. When I think about it,
> probably a better use for LDAP capabilities than to store public keys...

It's a bit more complex than that - what LDAP (and any keyserver) does
is provide the key itself.  That key is then imported and lives
locally from then on until it is deleted.  There would need to be
cleanup after use or keys would be left behind.  Are you looking for a
remote keyring?  That's slightly different than a keyserver, or at
least the thing that GnuPG calls a keyserver.

> > > on LDAP, this might be different story. However, at least for now, 
> > > being as secure as pam_ldap _is_ sufficient, IMHO.
> > 
> > Okay, I buy this.  I'll add binddn and bindpw to gpgkeys_ldap for
> > the next release.
> Next release of 1.4.x or 1.9.x?

1.4.3.  I've added the new feature, so you could probably grab the
gpgkeys_ldap.c from svn and use it in your 1.4.2 if you like.  There
aren't significant changes to the keyserver protocol between the two.
Just replace the existing gpgkeys_ldap.c with the new one and

This is just for testing though - the actual feature needs a little
more work before 1.4.3 release - the binddn and bindpw is global for
all keyservers, so if someone selects a different ldap keyserver
without removing the binddn and bindpw, they likely will be refused
(bad password).  This can happen automatically with keyserver URLs.
What is really needed is a .netrc-style "ldap-password" file that
contains binddn and bindpw for different machines.


More information about the Gnupg-users mailing list