distributing pubkeys: autocrypt, hagrid, WKD

Konstantin Ryabitsev konstantin at linuxfoundation.org
Tue Jul 2 21:40:32 CEST 2019

On Mon, Jul 01, 2019 at 06:41:41PM +0200, Werner Koch via Gnupg-users wrote:
>On Mon,  1 Jul 2019 10:27, konstantin at linuxfoundation.org said:
>> - subkey changes
>An expired key triggers a reload of the key via WKD or DANE.  Modulo the
>problems I mentioned in the former mail.  For new subkeys we have a
>problem unless we do a regular refresh similar to what should be done
>for revocations.

Most subkey changes that I am aware of are not due to people's old 
subkeys expiring, but because they add new ones for reasons like 
migrating between smartcard solutions or just being nerdy and picking a 
new ECC-based subkey.

When this happens, a maintainer who tries to verify a signed pull 
request will have the operation fail, so they need to have a way to 
force-refresh the developer's key. I would say this is the #1 workflow 
scenario that I need to fix if we can't rely on the SKS network any 


More information about the Gnupg-users mailing list