distributing pubkeys: autocrypt, hagrid, WKD

Wiktor Kwapisiewicz wiktor at metacode.biz
Tue Jul 2 22:37:31 CEST 2019


Hi Konstantin,

On 02.07.2019 21:40, Konstantin Ryabitsev wrote:
> Most subkey changes that I am aware of are not due to people's old 
> subkeys expiring, but because they add new ones for reasons like 
> migrating between smartcard solutions or just being nerdy and picking a 
> new ECC-based subkey.
> 
> When this happens, a maintainer who tries to verify a signed pull 
> request will have the operation fail, so they need to have a way to 
> force-refresh the developer's key.

Do you mean something simpler than [0]:

gpg --auto-key-locate clear,wkd,nodefault --locate-key torvalds at kernel.org

?

Trying key lookup over WKD if the subkey is missing locally (but primary 
key is present) would be a good idea. I've seen some really weird errors 
in that case [1].

If the primary key used short expiration [2] the refresh would be 
automatic but not many people like to prolong expirations every couple 
of months.

Kind regards,
Wiktor

[0]: https://dev.gnupg.org/T2917#115978

[1]:
https://www.reddit.com/r/tails/comments/9rchgi/tails_3101_error_cant_check_signature_no_public/

[2]: 
https://blogs.gentoo.org/mgorny/2018/08/13/openpgp-key-expiration-is-not-a-security-measure/

-- 
https://metacode.biz/@wiktor



More information about the Gnupg-users mailing list