Excellent points and I'm glad that the draft has been published on this
ML for a discussion in a wider audience.
As far as I understood draft-mccain-keylist-02 its goals can already be
achieved with a combination of already existing features:
1. Discovering keys for company employees - using "e-mail to key" lookup
2. Trusting that these keys are authentic - by signing an Authority Key
and setting ownertrust to full. This can be done only once and it works
for all future keys. Even with draft-mccain-keylist-02 one needs to do
that to know which keys are trusted. There is one variation of this
scheme - by using Trust Signatures one can trust Authority Key to keys
from the company domain only.
3. Keeping keys up to date - why not just refresh all keys in the local
keyring? (e.g. `gpg --refresh-keys` or something similar). (GnuPG will
refresh expired keys over WKD if they were fetched with WKD ).
If the problem is that people verify signatures and the keys are not
present I think applications have appropriate options to fetch keys
automatically (e.g. `gpg --auto-key-retrieve`).
I like the point of using .well-known for a keyring of all people but
from what I've heard on GitHub the ability to host keylist on a
different domain is desired:
There's no reason to trust the server that hosts the keylist file. We already
don't trust it -- FLM hosts our keylist on GitHub.
openpgp mailing list