For instructions, see our usage guide.
No. The federation model of the SKS pool has various problems in terms of reliability, abuse-resistance, privacy, and usability. We might do something similar to it, but keys.openpgp.org will never be part of the SKS pool itself.
For the moment, no. We do plan to decentralize keys.openpgp.org at some point. With multiple servers run by independent operators, we can hopefully improve the reliability of this service even further.
Several folks offered to help out by "running a Hagrid server instance". We very much appreciate the offer, but we will probably never have an "open" federation model like SKS, where everyone can run an instance and become part of a "pool". This is for two reasons:
We require explicit consent to distribute identity information. Identities that aren't email addresses, such as pictures or website URLs, offer no simple way for us to acquire this consent.
Note: Some OpenPGP software creates keys with incorrectly formatted email addresses. These addresses might not be recognized correctly on keys.openpgp.org.
An email address can only be associated with a single key. When an address is verified for a new key, it will no longer appear in any key for which it was previously verified. Non-identity information will still be distributed for all keys.
This means a search by email address will only return a single key, not multiple candidates. This eliminates an impossible choice for the user ("Which key is the right one?"), and makes key discovery by email much more convenient.
We use a modern standard called MTA-STS, combined with STARTTLS Everywhere by the EFF, to make sure verification emails are sent out securely. This protects against eavesdropping and interception during delivery.
The MTA-STS mechanism only works if supported by the recipient's email provider. Otherwise, emails will be delivered as usual. You can run this test to see if your email provider supports it. If the "MTA-STS" entry on the left isn't a green checkmark, please ask your provider to update their configuration.
Short answer: No.
A "third party signature" is a signature on a key that was made by some other key. Most commonly, those are the signatures produced when "signing someone's key", which are the basis for the "Web of Trust". For a number of reasons, those signatures are not currently distributed via keys.openpgp.org.
The killer reason is spam. Third party signatures allow attaching arbitrary data to anyone's key, and nothing stops a malicious user from attaching so many megabytes of bloat to a key that it becomes practically unusable. Even worse, they could attach offensive or illegal content.
There are ideas to resolve this issue. For example, signatures could be distributed with the signer, rather than the signee. Alternatively, we could require cross-signing by the signee before distribution to support a caff-style workflow. If there is enough interest, we are open to working with other OpenPGP projects on a solution.
The keys.openpgp.org service is meant for key distribution and discovery, not as a de facto certification authority. Client implementations that want to offer verified communication should rely on their own trust model.
When an OpenPGP key marks one of its identities as revoked, this identity should no longer be considered valid for the key, and this information should ideally be distributed to all OpenPGP clients that already know about the newly revoked identity.
Unfortunately, there is currently no good way to distribute revocations, that doesn't also reveal the revoked identity itself. We don't want to distribute revoked identities, so we can't distribute the identity at all.
There are proposed solutions to this issue, that allow the distribution of revocations without also revealing the identity itself. But so far there is no final specification, or support in any OpenPGP software. We hope that a solution will be established in the near future, and will add support on keys.openpgp.org as soon as we can.
Some keyservers support search for keys by part of an email address. This allows discovery not only of keys, but also of addresses, with a query like "keys for addresses at gmail dot com". This effectively puts the addresses of all keys on those keyservers into a public listing.
A search by email address on keys.openpgp.org returns a key only if it exactly matches the email address. That way, a normal user can discover the key associated with any address they already know, but they cannot discover any new email addresses. This prevents a malicious user or spammer from easily obtaining a list of all email addresses on the server.
We made this restriction a part of our privacy policy, which means we can't change it without asking for user consent.
Of course!
If you have Tor installed,
you can reach keys.openpgp.org anonymously
as an
onion service:
zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion
GnuPG considers keys that contain no identity information to be invalid, and refuses to import them. However, a key that has no verified email addresses may still contain useful information. In particular, it's still possible to check whether the key is revoked or not.
In June 2019, the keys.openpgp.org team created a patch that allows GnuPG to process updates from keys without identity information. This patch was quickly included in several downstream distributions of GnuPG, including Debian, Fedora, NixOS, and GPG Suite for macOS.
In March 2020 the GnuPG team rejected the patch, and updated the issue status to "Wontfix". This means that unpatched versions of GnuPG cannot receive updates from keys.openpgp.org for keys that don't have any verified email address. You can read about this decision in issue T4393 on the GnuPG bug tracker.
You can check if your version of GnuPG is affected with the following instructions.
Import test key:
$ curl https://keys.openpgp.org/assets/uid-test.pub.asc | gpg --import
gpg: key F231550C4F47E38E: "Alice Lovelace <alice@openpgp.example>" imported
gpg: Total number processed: 1
gpg: imported: 1
With patch, key will be updated if locally known:
$ gpg --recv-keys EB85BB5FA33A75E15E944E63F231550C4F47E38E
gpg: key F231550C4F47E38E: "Alice Lovelace <alice@openpgp.example>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
Without patch, a key without identity is always rejected:
$ gpg --recv-keys EB85BB5FA33A75E15E944E63F231550C4F47E38E
gpg: key EB85BB5FA33A75E15E944E63F231550C4F47E38E: no user ID
Hagrid v1.3.0 built from 26ef2f6
Powered by Sequoia-PGP
Background image retrieved from Subtle Patterns under CC BY-SA 3.0