Storing of PGP keys in OpenLDAP

David Shaw dshaw at
Wed Dec 3 06:10:20 CET 2008

On Dec 2, 2008, at 8:19 PM, Toh Wan Quan wrote:

> Hi,
> I have the following observation while using "gpg --send-keys" to
> insert PGP keys to OpenLDAP.
> I have noticed that "gpg --send-keys" insert the key's detail in
> alphabetical order to "ou=PGP Keys,dc=example,dc=com" (ie.
> Distinguished Name: pgpCertID=5B41FBAB4BC73374,ou=PGP
> Keys,dc=example,dc=com)
> I was wondering if it is possible to insert as Distinguished Name:
> pgpUserID=william,ou=PGP Keys,dc=example,dc=com instead as it would
> faciliate easy maintanence of keys later on as it grows.

Unfortunately, it's not really possible.  The Distinguished Name needs  
to be unique in LDAP, and a pgpUserID is not guaranteed to be unique  
(say, a single person who happens to have two keys).  There can also  
be a single key with multiple pgpUserIDs on it, so it is not clear  
which user ID should be in the DN.

Currently, we use the pgpCertID (the 64-bit "long" key ID) to help  
ensure that the Distinguished Name is unique.  You'll have a 64-bit  
collision eventually if you keep trying, but this is at least as good  
as OpenPGP itself (which also relies on the 64-bit key ID being very  
close to unique).

Incidentally, for those people who store keys in LDAP servers - Jon  
Callas told me recently that the Hushmail system now follows the "ldap:// 
" method for finding keys via LDAP.  This means that if you make your  
LDAP server visible to the net at large, PGP, GPG, and now Hushmail  
can automatically find keys for people in your domain.  The feature is  
on by default in PGP Universal and Hushmail.  For GPG, stick a "auto- 
key-locate ldap" in your gpg.conf to turn it on.  If you are  
encrypting to (for example) person at, and GPG does not have  
a key for that user, it will try to retrieve it from ldap:// 


More information about the Gnupg-users mailing list