WKD: returns only one pubkey (and why)

Vincent Breitmoser look at my.amazin.horse
Mon Dec 12 17:37:16 CET 2022


Hey Bernhard and list,

On 09.12.22 09:59, Bernhard Reiter wrote:
> The use of _the_ and _a_ key shows that only one public key is to be returned.
> This makes sense because the idea is that a client can directly use the key
> for encryption without asking the user for choice.

I generally agree with this goal. Allowing one address to bind to 
multiple certificates places a burden on client implementations to make 
a choice, and folks who work more on the backend side tend to 
underestimate this in my experience. That is the reason why for 
keys.openpgp.org we decided to follow WKD and return exactly zero or one 
certificates per address.

However, relatedly we have a new OpenPGP version (probably v6?) on the 
horizon, and will soon face the issue of migrating users and keys. And 
that will likely mean supporting at least two certificates (v4+v6) 
side-by-side for the same address.

It's not yet clear to me what the best way is to do that, but one way or 
another certificate discovery mechanisms such as WKD will have to deal 
with it.

Cheers

  - V




More information about the Gnupg-devel mailing list