On Wed, Feb 22, 2006 at 11:02:10AM +0100, Walter Haidinger wrote: > On Tue, 21 Feb 2006, David Shaw wrote: > > > > If GnuPG could also store secret keys (btw, can it? have never checked) > > > > It's theoretically possible, but no keyserver works that way. > > Probably not for HTTP keyservers, but for LDAP offering strong > authentication and TLS/SSL? > > A remotely accessible, single storage of secret keys could be quite > useful for some people. You wouldn't be required to carry the secret > keyring with you on usbsticks or else anymore. When I think about it, > probably a better use for LDAP capabilities than to store public keys...
It's a bit more complex than that - what LDAP (and any keyserver) does is provide the key itself. That key is then imported and lives locally from then on until it is deleted. There would need to be cleanup after use or keys would be left behind. Are you looking for a remote keyring? That's slightly different than a keyserver, or at least the thing that GnuPG calls a keyserver. > > > on LDAP, this might be different story. However, at least for now, > > > being as secure as pam_ldap _is_ sufficient, IMHO. > > > > Okay, I buy this. I'll add binddn and bindpw to gpgkeys_ldap for > > the next release. > > Next release of 1.4.x or 1.9.x? 1.4.3. I've added the new feature, so you could probably grab the gpgkeys_ldap.c from svn and use it in your 1.4.2 if you like. There aren't significant changes to the keyserver protocol between the two. Just replace the existing gpgkeys_ldap.c with the new one and recompile. This is just for testing though - the actual feature needs a little more work before 1.4.3 release - the binddn and bindpw is global for all keyservers, so if someone selects a different ldap keyserver without removing the binddn and bindpw, they likely will be refused (bad password). This can happen automatically with keyserver URLs. What is really needed is a .netrc-style "ldap-password" file that contains binddn and bindpw for different machines. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
