One thing I'm missing in all these guides describing how to store one's OpenPGP key in a Web Key Directory (WKD) is that for keys with lot of signatures the key best should be exported using
--export-options export-minimal

to not force an MB size download on the poor person who just wanted to write an encrypted mail.

Yes, that key then won't have the signatures, but I guess a user who uses WKD does not care about that. And if, do --refresh-keys.

@erAck I guess most people that these guides are targetted to do not have that many signatures.

For example your key has 1,3 MB and it has MSD ranking of 466 while mine has 107 KB and MSD ranking ~1300 so the number of people that have megabyte keys is less than a thousand in the world.

Yeah likely it doesn't matter for most keys.

@erAck By the way with newer GnuPG if a key was fetched with WKD it will be refreshed automatically over WKD when it expires. This can be used to run the key in keyserverless mode... in a way :)

That's convenient indeed. Well, *IF* the key holder prolongs the expiration date and uploads the refreshed key. Most seem to not even know that possibility and generate a new key instead. Which with WKD would work as well (or even better than per keyserver) if they upload it.

@erAck Yes, I agree expiration is frequently misunderstood (I actually answered on question today about it).

One more WKD trivia: if you specify your key with an e-mail while signing (e.g. `--default-key`) it will embed e-mail in the signature (Signer's UID packet). When someone verifies the sig with `--auto-key-retrieve` it will grab your key through WKD.

Only when default-key is specified with email? I have a keyid there since ages.. which makes more sense if there is more than one key.

@erAck I didn't design this, just saying how it works...

You can check such as sig if you pipe *the signature only* to `pgpdump` e.g. from this file

By the way it just came to me that `export-filter` with `keep-uid` can be used to make the WKD key small as GnuPG imports *only* the User ID that has requested e-mail in it (+all subkeys). Reference:

Thanks for the export-filter heads-up, I wasn't aware of that feature. That might solve the problem that accepts a key for publishing only if it contains *one* uid (or so they did last year or so when I tried).

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!