On 01.01.2019 13:19, Stefan Claas wrote: > Hi Wiktor and all, > > since my current WKD key is a temporary key i would like to know > for best practice the following: > > In a couple of days i will receive my Kanguru Defender 3000 USB stick > and then i will create a new key pair and put it on the stick, along > with other things. This key will then also be signed by Governikus. > > Because WKD currently does not cover revocation certs i would like > to know how to continue. Should i upload then my revoked temp > key to SKS or should i simply replace the keys. If possible i would > like to avoid SKS usage in the future. > > Does GnuPG detects when i use a new WKD pub key, once i signed > a new message?
Stefan, Revoke your current key locally and generate a new one, now export both binary keys (that includes revocation) to a file. Place it in .well-known/openpgpkey/hu overwriting the old file. Now, when GnuPG does --locate-key it will fetch both keys, revoke your old one and add the new one. If someone already has your old key GnuPG will do the fetch automatically when the old key expires (you didn't use expiry as far as I can see so it won't happen automatically). One can still "force" the WKD refresh using: $ gpg --auto-key-locate clear,wkd,nodefault --locate-key s...@300baud.de I just tested this all with some dummy key on my end and it worked just fine... hope it works on your end too. As for signing, if you specify signing key using "e-mail notation" GnuPG will embed Signer's UID packet and when the recipient uses --auto-key-retrieve it will grab your key using WKD instead of keyservers. But I didn't test what would happen if the old key is already present in the keyring that doesn't match the signature, probably nothing. (You can inspect this file with pgpdump if you want to see the packet: $ curl https://metacode.biz/.well-known/security.txt | pgpdump ) Happy New Year! Kind regards, Wiktor -- https://metacode.biz/@wiktor _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users