Only one pubkey to be delivered by WKD (Re: Update

Simon Josefsson simon at
Wed Jul 28 17:36:54 CEST 2021

Bernhard Reiter <bernhard at> writes:

> Am Mittwoch 28 Juli 2021 12:28:08 schrieb Simon Josefsson via Gnupg-devel:
>> It seems like a
>> neat thing to have all my keys in there, in case someone wants to verify
>> old signatures.  Is this forbidden? As far as I can tell from wks draft
>> -12 it is permitted: 'Note that the key may be revoked or expired - it
>> is up to the client to handle such conditions.'.
> Yes, in my reading it is "forbidden" to have more than one non-revoked pubkey 
> in a WKD reponse.
> Citing from 
>    The HTTP GET method MUST return the binary representation of the
>    OpenPGP key for the given mail address.  The key needs to carry a
>    User ID packet ([RFC4880]) with that mail address.  Note that the key
>    may be revoked or expired - it is up to the client to handle such
>    conditions.  To ease distribution of revoked keys, a server may
>    return revoked keys in addition to a new key.  The keys are returned
>    by a single request as concatenated key blocks.
> It is singular "the key" and "in addition to a new key".

The start of the paragraph talks about 'the key' but the end of the
paragraph talks about 'the keys', in plural.  I don't think it is
terribly clear that it MUST NOT be more than one key.  What is the
problem with serving more than one key?  It seems like a useful thing to
do during key roll-over, or even during extended periods to make it
easier for people to verify older signatures.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 255 bytes
Desc: not available
URL: <>

More information about the Gnupg-devel mailing list