distributing pubkeys: autocrypt, hagrid, WKD (Re: Your Thoughts)

Konstantin Ryabitsev konstantin at linuxfoundation.org
Mon Jul 1 16:27:20 CEST 2019

On Mon, Jul 01, 2019 at 03:13:29PM +0200, Michał Górny via Gnupg-users wrote:
>> The problem with autocrypt are the cases where its security measures 
>> are
>> tested. There is not good way to interact with the users in those cases.
>> I know this is not parts of its design goals, but it works against a better
>> user experience.
>> The progrem with hagrid (from what I've heard) is that it is again an attempt
>> of a validating keyserver, which means it has to centralize the trust
>> function or there is no point in the validation.
>> This makes WKD most mature and easiest for users in my eyes. (I was involved
>> in its design.).
>I agree.  This is precisely why we've decided it for syncing
>distribution keys in Gentoo.  However, the main problem with WKD right
>now is that AFAIK GnuPG doesn't support refreshing existing keys via WKD
>-- we had to employ a large hack to do it.

This can't be stressed enough. The main purpose of a managed keyring for 
communities like kernel.org and others is to advise all members of 
things like:

- subkey changes
- UID additions/revocations
- expiration date extensions

WKD doesn't currently facilitate any of these.


More information about the Gnupg-users mailing list