On Nov 7, 2006, at 7:01 AM, David Shaw wrote:
Personally, I think that LDAP is better for key populations that have a distinct boundary: a company, for example. In a company, key merging isn't really that useful or desirable, as generally there isn't much back-and-forth key signing. Rather, the company signs each key with the authoritative company key. Since you already have a running LDAP setup, it seems like an obvious solution to use it rather than have to maintain a whole second server (with backups, etc). LDAP has another side benefit if you choose to make it visible outside the company: people who use PGP will automatically find keys for your employees and encrypt their mail. When encrypting to [EMAIL PROTECTED], PGP universal looks for ldap://keys.example.com and asks it for the [EMAIL PROTECTED] key. Put "auto-key-locate ldap" in your gpg.conf, and GnuPG will do the same.
I was able to get my LDAP server to work as a keyserver using the information found in the articles from earlier this year on this list but a few changes needed to be made to the layout and to the ACL. If I write up a how-to, would you be interested in hosting the page on the gnupg web site?
I was thinking: OpenLDAP supports external modules. Perhaps an approach to supporting signature merging in LDAP would be to write a module that could perform this activity. Just a thought. That might be taking the LDAP server beyond what an LDAP server should be though...
Joe
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
