Order of lookup methods in --auto-key-retrieve

Werner Koch wk at gnupg.org
Mon Jul 1 19:29:39 CEST 2019

On Sun, 30 Jun 2019 21:36, gnupg-devel at gnupg.org said:

> The code checks first the keyserver and then the WKD domain. I guess
> this is to limit the number of IP-leaking queries and prefer trusted
> keyserver.

Right that was one idea.  The other reason is that it is not possible to
lookup a key from the WKD using a fingerprint.  Before rfc-4880bis added
the /Issuer Fingerprint/ to signatures we only had the /Issuer's User
ID/ information in a signature to lookup a key.  With 2.1.13 we added
the latter to all signatures if possible so to make --auto-key-retrieve

I guess we should keep this information to prefer updating via WKD.

> I'm wondering if reversing the order (first WKD, then keyserver)
> wouldn't be a better option. The current mechanism is not perfect, so




Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20190701/4f91b1e2/attachment.sig>

More information about the Gnupg-devel mailing list