mirror of git://git.gnupg.org/gnupg.git
dirmngr: Do not store the useless pgpSignerID in the LDAP.
* dirmngr/ks-engine-ldap.c (extract_attributes): Do not store the
pgpSignerID.
* g10/call-dirmngr.c (ks_put_inq_cb): Do not emit sig records.
--
The pgpSignerID has no use in the LDAP and thus don't store it.
David's idea back in 2004 was
/* This bit is really for the benefit of people who
store their keys in LDAP servers. It makes it easy
to do queries for things like "all keys signed by
Isabella". */
See-commit: 3ddd4410ae
I consider this dangerous because such a query is not able to validate
the signature, does not get revocation signatures, and also has no
information about the validity of the signatures. Further many keys
are spammed tehse days with faked signatures and it does not make
sense to blow up the LDAP with such garbage.
Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
parent
e47de85382
commit
0e88c73bc9
|
@ -357,9 +357,9 @@ ks_action_fetch (ctrl_t ctrl, const char *url, estream_t outfp)
|
|||
/* Send an OpenPGP key to all keyservers. The key in {DATA,DATALEN}
|
||||
is expected to be in OpenPGP binary transport format. The metadata
|
||||
in {INFO,INFOLEN} is in colon-separated format (concretely, it is
|
||||
the output of 'for x in keys sigs; do gpg --list-$x --with-colons
|
||||
KEYID; done'. This function may modify DATA and INFO. If this is
|
||||
a problem, then the caller should create a copy. */
|
||||
the output of 'gpg --list-keys --with-colons KEYID'). This function
|
||||
may modify DATA and INFO. If this is a problem, then the caller
|
||||
should create a copy. */
|
||||
gpg_error_t
|
||||
ks_action_put (ctrl_t ctrl, uri_item_t keyservers,
|
||||
void *data, size_t datalen,
|
||||
|
|
|
@ -1739,9 +1739,6 @@ extract_attributes (LDAPMod ***modlist, char *line)
|
|||
|
||||
if (is_sub)
|
||||
modlist_add (modlist, "pgpSubKeyID", keyid);
|
||||
|
||||
if (is_sig)
|
||||
modlist_add (modlist, "pgpSignerID", keyid);
|
||||
}
|
||||
|
||||
if (is_pub)
|
||||
|
@ -1969,7 +1966,6 @@ ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri,
|
|||
modlist_add (&modlist, "pgpKeyType", NULL);
|
||||
modlist_add (&modlist, "pgpUserID", NULL);
|
||||
modlist_add (&modlist, "pgpKeyCreateTime", NULL);
|
||||
modlist_add (&modlist, "pgpSignerID", NULL);
|
||||
modlist_add (&modlist, "pgpRevoked", NULL);
|
||||
modlist_add (&modlist, "pgpSubKeyID", NULL);
|
||||
modlist_add (&modlist, "pgpKeySize", NULL);
|
||||
|
|
|
@ -2526,7 +2526,7 @@ static const char hlp_ks_put[] =
|
|||
" INQUIRE KEYBLOCK_INFO\n"
|
||||
"\n"
|
||||
"The client shall respond with a colon delimited info lines (the output\n"
|
||||
"of 'for x in keys sigs; do gpg --list-$x --with-colons KEYID; done').\n";
|
||||
"of 'gpg --list-keys --with-colons KEYID').\n";
|
||||
static gpg_error_t
|
||||
cmd_ks_put (assuan_context_t ctx, char *line)
|
||||
{
|
||||
|
@ -2559,8 +2559,7 @@ cmd_ks_put (assuan_context_t ctx, char *line)
|
|||
goto leave;
|
||||
}
|
||||
|
||||
/* Ask for the key meta data. Not actually needed for HKP servers
|
||||
but we do it anyway to test the client implementation. */
|
||||
/* Ask for the key meta data. */
|
||||
err = assuan_inquire (ctx, "KEYBLOCK_INFO",
|
||||
&info, &infolen, MAX_KEYBLOCK_LENGTH);
|
||||
if (err)
|
||||
|
|
|
@ -1047,21 +1047,6 @@ ks_put_inq_cb (void *opaque, const char *line)
|
|||
}
|
||||
break;
|
||||
|
||||
/* This bit is really for the benefit of people who
|
||||
store their keys in LDAP servers. It makes it easy
|
||||
to do queries for things like "all keys signed by
|
||||
Isabella". */
|
||||
case PKT_SIGNATURE:
|
||||
{
|
||||
PKT_signature *sig = node->pkt->pkt.signature;
|
||||
|
||||
if (IS_UID_SIG (sig))
|
||||
record_output (fp, node->pkt->pkttype, NULL,
|
||||
-1, -1, sig->keyid,
|
||||
sig->timestamp, sig->expiredate, NULL);
|
||||
}
|
||||
break;
|
||||
|
||||
default:
|
||||
continue;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue