Joseph Oreste Bruni brunij at
Wed Nov 8 16:41:27 CET 2006

On Nov 7, 2006, at 7:01 AM, David Shaw wrote:

> Personally, I think that LDAP is better for key populations that have
> a distinct boundary: a company, for example.  In a company, key
> merging isn't really that useful or desirable, as generally there
> isn't much back-and-forth key signing.  Rather, the company signs each
> key with the authoritative company key.
> Since you already have a running LDAP setup, it seems like an obvious
> solution to use it rather than have to maintain a whole second server
> (with backups, etc).
> LDAP has another side benefit if you choose to make it visible outside
> the company: people who use PGP will automatically find keys for your
> employees and encrypt their mail.  When encrypting to
> user at, PGP universal looks for ldap:// and
> asks it for the user at key.  Put "auto-key-locate ldap" in
> your gpg.conf, and GnuPG will do the same.

I was able to get my LDAP server to work as a keyserver using the  
information found in the articles from earlier this year on this list  
but a few changes needed to be made to the layout and to the ACL. If  
I write up a how-to, would you be interested in hosting the page on  
the gnupg web site?

I was thinking: OpenLDAP supports external modules. Perhaps an  
approach to supporting signature merging in LDAP would be to write a  
module that could perform this activity. Just a thought. That might  
be taking the LDAP server beyond what an LDAP server should be though...


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2508 bytes
Desc: not available
Url : /pipermail/attachments/20061108/f09b197a/smime.bin

More information about the Gnupg-users mailing list