WKD: returns only one pubkey (and why)

Bernhard Reiter bernhard at intevation.de
Fri Dec 9 09:59:59 CET 2022


Hi David,

saw that you had a question about WKD in your blog:
https://sleepmap.de/2022/new-pgp-key-id-1793dad5d803a8ffd7451697bb992f9864fad168/

You write:
  gpg --locate-keys dave at sleepmap.de
  The above only returns the new key [..], but not the old [..]. 
  It is entirely opaque to the user as to why.

The reason is that WKD only allows
for returning one active public key.
 
https://datatracker.ietf.org/doc/html/draft-koch-openpgp-webkey-service-15#name-key-discovery
has
   The HTTP GET method MUST return the binary representation of the OpenPGP   
   key for the given mail address.
   [..]
   a server may return revoked keys in addition to a new key.
   
The use of _the_ and _a_ key shows that only one public key is to be returned.
This makes sense because the idea is that a client can directly use the key 
for encryption without asking the user for choice.
It seems that the version of sequoia-pgp you were using in April does not 
implement the WKD draft correctly 
by providing and downloading more than one pubkey.
This may have added to your confusion.

Nontheless the intentions could be written more explicit in the WKD draft, 
which I have meanwhile suggested to the author.

Regards,
Bernhard
ps.: BTW there is a new group of synchronised pubkey servers, since a while, 
e.g. see https://social.tchncs.de/@ber/107008659842900171

-- 
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20221209/5d3f3e68/attachment.sig>


More information about the Gnupg-devel mailing list