Hi, just testing the waters, whether this is something people like or not:
As we all know, false PGP keys can easily be forged for any given email address and uploaded to key servers. We've been there, even with the correct short key ids and equally faked signatures! One way to help senders getting the real receivers key is WKD (web key directory). That is one HTTPS URL per email address, e.g. a static directory with PGP key files. (See https://wiki.gnupg.org/WKD) Example: To get the public key of Linus Torvalds, you type $ gpg --auto-key-locate wkd --locate-keys torva...@kernel.org which fetches the public key from this URL: https://kernel.org/.well-known/openpgpkey/hu/pf113mfnx1f3eb1yiwhsipa91xfc7o4x Of course, WKD is only about fetching the key. The actual decision to trust or not a key, let alone sign it, does not change by use of WKD. The second thing is WKS (web key service): This is a protocol/tool to publish, update or de-puplish keys via WKD in a standardized form. (See https://wiki.gnupg.org/WKS) Do we want WKD for debian.org, like gentoo.org and kernel.org? TIA for your opinions & Cheers