Launching a new keyserver

From a community effort by Enigmail , OpenKeychain , and Sequoia PGP , we are pleased to announce the launch of the new public OpenPGP keyserver keys.openpgp.org ! Hurray! :tada:

Give me the short story!

• Fast and reliable. No wait times, no downtimes, no inconsistencies.
• Precise. Searches return only a single key, which allows for easy key discovery.
• Validating. Identities are only published with consent, while non-identity information is freely distributed.
• Deletable. Users can delete personal information with a simple e-mail confirmation.
• Built on Rust, powered by Sequoia PGP - free and open source, running AGPLv3.

!

Why a new keyserver?

We created keys.openpgp.org to provide an alternative to the SKS Keyserver pool, which is the default in many applications today. This distributed network of keyservers has been struggling with abuse , performance , as well as privacy issues , and more recently also GDPR compliance questions. Kristian Fiskerstrand has done a stellar job maintaining the pool for more than ten years , but at this point development activity seems to have mostly ceased .

We thought it time to consider a fresh approach to solve these problems.

Identity and non-identity information

The keys.openpgp.org keyserver splits up identity and non-identity information in keys. You can find more details on ourabout page: The gist is that non-identity information (keys, revocations, and so on) is freely distributed, while identity information is only distributed with consent that can also be revoked at any time.

If a new key is verified for some e-mail address, it will replace the previous one. This way, every e-mail address is only associated with a single key at most. It can also be removed from the listing at any time by the owner of the address. This is very useful for key discovery: if a search by e-mail address returns a key, it means this is the single key that is currently valid for the searched e-mail address.

Support in Enigmail and OpenKeychain

The keys.openpgp.org keysever will receive first-party support in upcoming releases of Enigmail for Thunderbird, as well as OpenKeychain on Android. This means users of those implementations will benefit from the faster response times, and improved key discovery by e-mail address. We hope that this will also give us some momentum to build this project into a bigger community effort.

Current challenges

Privacy-preserving techniques in keyservers are still new, and sadly there are still a few compatibility issues caused by splitting out identity information.

In particular, when GnuPG (as of this writing, version 2.2.16) encounters an OpenPGP key without identities, it throws an error "no user ID" and does not process new non-identity information (like revocation certificates) even if it is cryptographically valid. We are actively engaged in providing fixes for these issues.

The future

Privacy-preserving techniques in keyservers are still new, and we have more ideas for reducing the metadata. But for now, our plan is only to keep keys.openpgp.org reliable and fast :rabbit2:, fix any upcoming bugs :beetle:, andlisten to feedback from the community. :ear:

For more info, head on over to ourabout page andFAQ pages. You can get started right away by uploading your your key ! Beyond that there is more cool stuff to discover, like ourAPI, and anOnion Service!

Cheers! :beers: