WKD: returns only one pubkey (and why)

Bernhard Reiter bernhard at intevation.de
Thu Jan 26 11:04:32 CET 2023

Hi Werner,

Am Donnerstag 26 Januar 2023 09:42:24 schrieb Werner Koch via Gnupg-devel:
> > I just want to self-publish all trusted keys
> > for my email address and have a protocol to specify that people should
> Actually you can do this, but we don't have the tooling to upload such a
> ket without manual intervention.  Here is a test case:

> Then on the client you can test this:

> Both keys have been retrieved 

for my understanding, this technical test case
tests something that is outside the specification of 
(the current specification, as cited in the start of the discussion)

> (filtered to have only the requested user 
> id) and the best matching key has been listed.  With an implementation
> w/o support for ed25519 the RSA key would have been listed.
> So far with the theory and here comes the bug:  There is no valid
> encryption subkey and thus --locate-external-key should indeed list the rsa
> key. See https://dev.gnupg.org/T6358 .

Looks like an example how distributing two active keys via WKD
make it more complicated to implement use case 1).
And a for a rollover, just the new public key could be distributed,
so I'd say multiple pubkeys are not necessary for the rollover.


https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20230126/5624f625/attachment.sig>

More information about the Gnupg-devel mailing list