1

I have published my gpg key on keys.openpgp.org, keyserver.ubuntu.com, and my own WKDs corresponding to each of the two email addresses on my own domains.

Another user updated my public key from my WKD (per my instruction using gpg --auto-key-locate clear,nodefault,wkd --locate-key <email address>), certified it, and sent it to me.

The new signature didn't show up for me, so I imported the key they sent to a temporary keyring to investigate (couldn't find the certificate there either, but that's just for context). I was surprised to see that the public key they sent me included the (unrevoked) UID corresponding to a job I left a year ago, for which I had published a revocation around the time of leaving the job. The other user presumably already had an old version of my key, but since the transmitted public key's expiration date corresponds to my latest update, I know they must have also retrieved the latest version.

I would have expected that the user importing my key from my WKD would have retrieved the revocation of the outdated UID as I'd would have expected the public key I published in my WKD (exported via gpg --no-armor --export <fingerprint> > <wkd-hash>) to include it. Experimenting further, it seems that retrieving keys from WKD will always only import the single corresponding UID.

I'm aware that keys.openpgp.org does not publish revoked UIDs since they do not provide UIDs at all. Presumably, the revocation should also be on keyserver.ubuntu.com, but all the SKS servers are pretty wonky these days. However, neither by updating the temporary key from my WKD nor keyserver.ubuntu.com made the old UID show up as revoked. Importing the file I pushed to my WKD does revoke the old UID.

Either way, I'm now wondering how I can reliably broadcast the revocation of my outdated UID.

Murch
  • 111
  • 4

1 Answers1

0

From what I gather, locating a key on a WKD will only retrieve the sought UID and not import other UIDs that may be stored along with it. As mentioned, openpgp.org will not publish revoked UIDs at all and SKS servers have been mostly shut down and are fairly unreliable.

I could not find a way to broadcast my UID, beyond publishing my key on my website for other users to retrieve directly.

Murch
  • 111
  • 4