recommendation for key servers

deloptes deloptes at
Fri Jun 25 17:29:31 CEST 2021

Hi and thank you for your responses!

On Fri, Jun 25, 2021 at 4:03 PM Andrew Gallagher via Gnupg-devel <
gnupg-devel at> wrote:

> On 25/06/2021 11:08, Werner Koch via Gnupg-devel wrote:
> > On Fri, 25 Jun 2021 08:00, Jan Girlich said:
> >
> >> most PGP tools default to these days.
> >
> > Which unfortunately is a non-OpenPGP compliant keyserver and not syncing
> > with other keyservers.  It has the same problems as the keyserver
> > from the early 2000 years.  I would suggest not to use keyservers for key
> > discovery but install a web key directory or an internal LDAP server or
> > use the AD.
> I agree, WKD should be the first choice method to publish your own key,
> so long as you or someone PGP-friendly is in charge of your email domain
> (it's no use for gmail addresses, for example). But implementing WKD
> yourself does not help you discover other people's keys, unless you both
> belong to the same organisation (same applies to AD, LDAP etc).
> Most modern software will check WKD regardless of your keyserver
> settings, so if it is in use by your correspondent's email domain, it
> should Just Work. But for the majority of users, you still have to fall
> back to another discovery method.
Our GPG Client (actually many of you may know the old KGpg client) has the
option to search for keys on a specific server by default.
>From what I hear, we can conclude that this is good by option and we have
to replace with something, but we still do not know with what :/

I would not consider it as modern software :D at least no one has the time
to work on the client and add features. So this is why I am asking here
what to do, so that the very small developers team on TDE could take the
right decision and not burn resources in vain.

> The keystore trilemma is not yet solved. You can have two out of three
> of decentralisation, universality, and abuse-resistance. WKD is
> decentralised and abuse-resistant but is not universal.
> is universal and abuse-resistant but highly centralised (and
> functionally limited). Synchronising keyservers (SKS and Hockeypuck) are
> decentralised and universal but abuse-prone.
> Signature attestations will help tackle many of the abuse (and
> functional limitation) issues, if we can get them standardised in a
> future openpgp update (rfc4880tris?). But we will probably have to live
> with more than one system for the foreseeable future, given the
> different compromises required.
So to put it short in the future there will be no openpgp server(s) because
of the GDRP?
I was wondering who is objecting the existence of the SKS server. In the
mail thread (from 2018) and the message from this month, it says only about
more and more complains.
Could it be potential attack on the opengpg community - I could not follow
until the end. Can you summarize who and how took the decision to take this
server down?
Couple of years ago, I thought finally someone took care of GPG and did the
right thing, so that one can have a single server, to look for and upload
keys - now it seems it is over

thank you in advance

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Gnupg-devel mailing list