auto key locate using keyid

David Shaw dshaw at
Wed Mar 4 19:43:30 CET 2009

On Wed, Mar 04, 2009 at 10:51:39AM +0100, Werner Koch wrote:
> On Wed,  4 Mar 2009 05:58, dshaw at said:
> > This is not currently possible.  It seems like it should be (the
> > principle of least surprise dictates that it should work with anything
> > that can be passed to '-r').
> The reason it works only with mail addresses is that I don't see an
> application case for anything else.  Gpg is most commonly used for email
> encryption and here you need an email address anyway.  --auto-key-locate
> makes this case easy by retrieving a corresponding key.

GPG does not strongly distinguish between these cases - either way,
the message is encrypted to the specified key, however that key is
located (by address or by keyid).

auto-key-locate grew out of the PKA and CERT feature.  When I
generalized it for PKA, CERT, and (automatic) LDAP, it grew the
ability to query any arbitrary keyserver.  To be sure, some of those
methods only could work with an email address.  PKA, CERT, and
automatic LDAP rely on an email address to find the key.  There is no
concept of a keyid there.  Keyservers, however, can accept either one.
(CERT actually allows for keyids in the protocol too, but GPG doesn't
implement that part).

So, assuming "auto-key-locate hkp://" (or similar), the
surprise is that this works:

  gpg -r the-address at -e the-file.txt

But this does not:

  gpg -r 0x12345678 -e the-file.txt

You can even extend the use case to stuff like:

 auto-key-locate ldap://my-company-keyserver hkp:// ldap://

And they will be tried in order until one of them succeeds.  While
most keyservers synch, a local company keyserver likely would not, and
things like PGP's global directory can't synch by their nature.


More information about the Gnupg-users mailing list