Keyserver access changes in GnuPG

Andrew Luke Nesbit email at
Wed Dec 12 23:08:27 CET 2018

On 12/12/2018 21:43, Wiktor Kwapisiewicz wrote:
>> Should I issue and publish a revocation certificate?  Will this cause
>> problems considering that I'm still using the same master key?
> I don't think revocation is necessary if the private subkeys are still safe.

Yes, they are still safe.  On thinking about it, issuing a revocation
certificate could be overkill.  It might even cause more confusion than
it is meant to solve.

> It may be just inconvenient for people that want to contact you / verify your
> signatures to see your subkeys expired and when they "gpg --refresh-keys" (as
> they always do) your key would still be expired with no apparent way of
> proceeding. If I saw something like that I'd think the key is abandoned.

Indeed, so would I.  But then there's also a pretty good chance that the
same person might write to me and ask, "Hey, what's up with your OpenPGP
keys?"  Then I could explain and point them to the right place.  Or, by
then, my website or my email signature might have enough information to
point them in the right direction before it even becomes an issue.

> If you had HTTPS on your site I'd recommend Web Key Directory as this downloads
> keys from your site *and* refreshes expired keys from your site too automatically.

I am coincidentally currently in the process of provisioning an Apache
server with HTTPS/443 enabled.  Not even HTTP/80 will be open, so HTTP
to HTTPS redirection won't be implemented either.

I've looked up Web Key Directory and had a quick browse, and this is
exactly the kind of thing I need.  Thank you!!

Kind regards,

EB28 0338 28B7 19DA DAB0  B193 D21D 996E 883B E5B9

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-users mailing list