Key server Q

David Shaw dshaw at
Tue Aug 6 06:48:02 CEST 2002

On Tue, Aug 06, 2002 at 02:17:00AM +0200, Simon Josefsson wrote:
> David Shaw <dshaw at> writes:

> > The difficulty here is that GnuPG very often knows the user ID or
> > the key ID, but not both.
> >
> > For example, during a --recv-keys GnuPG knows the key ID but does not
> > know the user ID since the key is not present yet, so there is no way
> > to look it up.  During a --search-keys, GnuPG knows the user ID but
> > not the key ID, also since the key is not present yet.
> OK.
> > It is possible to send the user ID during a --refresh-keys and a
> > --send-keys.  In those cases, the key is present during the keyserver
> > operation, so the user ID can be looked up and provided to the
> > keyserver plugin.  Would that still be useful to you?
> I don't think so, I was thinking of the cases where you have no DNS
> zone configuration and don't have the certificate.

Hmm.  I don't think there is a solution within GnuPG then.  It may
have to be something external like an x-pgp-keys: header.

> >> An ugly idea for doing this would be to have the OpenPGP message
> >> reader look for From: lines before the actual OpenPGP header, and
> >> snarf the address.  Of course, there is no guarantees that there is a
> >> From: header or that it corresponds to the actual OpenPGP originator,
> >> but it would be Good Enough for many common cases, I think.  Perhaps
> >> there is a better way?
> >
> > Unless the message is signed or has some other way of giving the key
> > ID, this might be the best way to do it (and then pass the from email
> > address to --search-keys).  It would be nice if there was one official
> > version of the many different "x-pgp-keys:" headers, so it could be
> > easily parsed.  Perhaps we should write one.
> The KeyID isn't enough for the situation I'm thinking about here,
> where you want to retrieve the certificate from the originator's own
> preferred server.

Well there is a preferred keyserver subpacket for self-sigs, but it
has the same problem as before - if you had the key to look at the
preferred keyserver subpacket, you'd have the key already.

It would be possible to give a suggested keyserver in the x-pgp-keys:
header of course.


   David Shaw  |  dshaw at  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

More information about the Gnupg-devel mailing list