OpenLDAP schema to store OpenPGP keys?
dshaw at jabberwocky.com
Thu Feb 23 04:24:27 CET 2006
On Thu, Feb 23, 2006 at 01:04:10AM +0100, Walter Haidinger wrote:
> On Wed, 22 Feb 2006, David Shaw wrote:
> > Are you looking for a remote keyring?
> > That's slightly different than a keyserver, or at least the thing
> > that GnuPG calls a keyserver.
> Now that you mention it: acutally yes, for private keys. I've not done
> any research about that yet. Just came to my mind during the discussion
> in this thread.
> Does GnuPG support remote keyrings?
No, unless it's via a remote filesystem (NFS, SMB, some magic with
> > This is just for testing though - the actual feature needs a little
> > more work before 1.4.3 release - the binddn and bindpw is global for
> > all keyservers, so if someone selects a different ldap keyserver
> > without removing the binddn and bindpw, they likely will be refused
> > (bad password). This can happen automatically with keyserver URLs.
> > What is really needed is a .netrc-style "ldap-password" file that
> > contains binddn and bindpw for different machines.
> This is a general limitation, not to be solved by the ldap code,
> IMHO. AFAIK, 1.4.2 only supports a single keyserver, right?
> Therefore, any keyserver options apply to the one set. There should
> be a mechanism to specify multiple keyservers, each with its own
> option set, binddn and bindpw just being one of them.
I'm not sure I agree with this. GnuPG does support multiple
keyservers in the sense that it handles preferred keyserver records on
keys, as well as the new auto-key-locate feature. All of these have
the same set of options, as keyserver options are not per-keyserver.
They're not "options for keyserver x" - they are "options that pertain
to keyservers". For example, "auto-key-retrieve" is not meaningful
except in the general sense.
Until yesterday, in fact, when I added binddn and bindpw, all the
options were not meaningful except in the general sense. I think the
right place for the solution is in gpgkeys_ldap itself. Certainly,
HTTP, FTP, and HKP have no notion of a DN to bind to.
More information about the Gnupg-users