Only one pubkey to be delivered by WKD (Re: Update

Bernhard Reiter bernhard at
Wed Jul 28 15:58:23 CEST 2021

Am Mittwoch 28 Juli 2021 12:28:08 schrieb Simon Josefsson via Gnupg-devel:
> It seems like a
> neat thing to have all my keys in there, in case someone wants to verify
> old signatures.  Is this forbidden? As far as I can tell from wks draft
> -12 it is permitted: 'Note that the key may be revoked or expired - it
> is up to the client to handle such conditions.'.

Yes, in my reading it is "forbidden" to have more than one non-revoked pubkey 
in a WKD reponse.

Citing from

   The HTTP GET method MUST return the binary representation of the
   OpenPGP key for the given mail address.  The key needs to carry a
   User ID packet ([RFC4880]) with that mail address.  Note that the key
   may be revoked or expired - it is up to the client to handle such
   conditions.  To ease distribution of revoked keys, a server may
   return revoked keys in addition to a new key.  The keys are returned
   by a single request as concatenated key blocks.

It is singular "the key" and "in addition to a new key".

Additionally ss Werner wrote: it would defy the purpose otherwise. :)

Best Regards,

--   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the Gnupg-devel mailing list