Storing of PGP keys in OpenLDAP
dshaw at jabberwocky.com
Wed Dec 3 06:10:20 CET 2008
On Dec 2, 2008, at 8:19 PM, Toh Wan Quan wrote:
> I have the following observation while using "gpg --send-keys" to
> insert PGP keys to OpenLDAP.
> I have noticed that "gpg --send-keys" insert the key's detail in
> alphabetical order to "ou=PGP Keys,dc=example,dc=com" (ie.
> Distinguished Name: pgpCertID=5B41FBAB4BC73374,ou=PGP
> I was wondering if it is possible to insert as Distinguished Name:
> pgpUserID=william,ou=PGP Keys,dc=example,dc=com instead as it would
> faciliate easy maintanence of keys later on as it grows.
Unfortunately, it's not really possible. The Distinguished Name needs
to be unique in LDAP, and a pgpUserID is not guaranteed to be unique
(say, a single person who happens to have two keys). There can also
be a single key with multiple pgpUserIDs on it, so it is not clear
which user ID should be in the DN.
Currently, we use the pgpCertID (the 64-bit "long" key ID) to help
ensure that the Distinguished Name is unique. You'll have a 64-bit
collision eventually if you keep trying, but this is at least as good
as OpenPGP itself (which also relies on the 64-bit key ID being very
close to unique).
Incidentally, for those people who store keys in LDAP servers - Jon
Callas told me recently that the Hushmail system now follows the "ldap://keys.example.com
" method for finding keys via LDAP. This means that if you make your
LDAP server visible to the net at large, PGP, GPG, and now Hushmail
can automatically find keys for people in your domain. The feature is
on by default in PGP Universal and Hushmail. For GPG, stick a "auto-
key-locate ldap" in your gpg.conf to turn it on. If you are
encrypting to (for example) person at example.com, and GPG does not have
a key for that user, it will try to retrieve it from ldap://keys.example.com
More information about the Gnupg-users