On Wed, 22 Feb 2006, David Shaw wrote: > It's a bit more complex than that - what LDAP (and any keyserver) does > is provide the key itself. That key is then imported and lives > locally from then on until it is deleted. There would need to be > cleanup after use or keys would be left behind.
I see. Obviously not a problem for public keys put definitely for private... Should have thought a bit more about how GnuPG works first. I guess I was too enthusiastic about the soon-working LDAP keyserver... Btw, I'll test the unique flag later today. > Are you looking for a remote keyring? > That's slightly different than a keyserver, or at least the thing > that GnuPG calls a keyserver. Now that you mention it: acutally yes, for private keys. I've not done any research about that yet. Just came to my mind during the discussion in this thread. Does GnuPG support remote keyrings? > 1.4.3. I've added the new feature, so you could probably grab the > gpgkeys_ldap.c from svn and use it in your 1.4.2 if you like. Thanks. I was about to ask if I can get it from the SVN tree early... You're just too quick! ;-) > There aren't significant changes to the keyserver protocol between > the two. > Just replace the existing gpgkeys_ldap.c with the new one and > recompile. I'll try a full checkout, though. I've read about another option which allows for keyserver failover, 'query' IIRC. > This is just for testing though - the actual feature needs a little > more work before 1.4.3 release - the binddn and bindpw is global for > all keyservers, so if someone selects a different ldap keyserver > without removing the binddn and bindpw, they likely will be refused > (bad password). This can happen automatically with keyserver URLs. > What is really needed is a .netrc-style "ldap-password" file that > contains binddn and bindpw for different machines. This is a general limitation, not to be solved by the ldap code, IMHO. AFAIK, 1.4.2 only supports a single keyserver, right? Therefore, any keyserver options apply to the one set. There should be a mechanism to specify multiple keyservers, each with its own option set, binddn and bindpw just being one of them. Walter _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
