Joseph Oreste Bruni
brunij at earthlink.net
Wed Nov 8 16:41:27 CET 2006
On Nov 7, 2006, at 7:01 AM, David Shaw wrote:
> Personally, I think that LDAP is better for key populations that have
> a distinct boundary: a company, for example. In a company, key
> merging isn't really that useful or desirable, as generally there
> isn't much back-and-forth key signing. Rather, the company signs each
> key with the authoritative company key.
> Since you already have a running LDAP setup, it seems like an obvious
> solution to use it rather than have to maintain a whole second server
> (with backups, etc).
> LDAP has another side benefit if you choose to make it visible outside
> the company: people who use PGP will automatically find keys for your
> employees and encrypt their mail. When encrypting to
> user at example.com, PGP universal looks for ldap://keys.example.com and
> asks it for the user at example.com key. Put "auto-key-locate ldap" in
> your gpg.conf, and GnuPG will do the same.
I was able to get my LDAP server to work as a keyserver using the
information found in the articles from earlier this year on this list
but a few changes needed to be made to the layout and to the ACL. If
I write up a how-to, would you be interested in hosting the page on
the gnupg web site?
I was thinking: OpenLDAP supports external modules. Perhaps an
approach to supporting signature merging in LDAP would be to write a
module that could perform this activity. Just a thought. That might
be taking the LDAP server beyond what an LDAP server should be though...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2508 bytes
Desc: not available
Url : /pipermail/attachments/20061108/f09b197a/smime.bin
More information about the Gnupg-users