For a long time the SKS Keyserver pool has been a de facto standard to publish public OpenPGP compatible keys. Kristian Fiskerstrand (@krifisk on Twitter) has been running the pool for more than ten years but over the years the distributed network of keyservers has been struggling with abuse, performance, as well as privacy issues, and more recently also GDPR compliance questions.

Is it time to make a change when it comes to the way you publish your public key(s)? If so, is the solution?

The keyserver splits up identity and non-identity information in keys. The gist is that non-identity information (keys, revocations, and so on) is freely distributed, while identity information is only distributed with consent that can also be revoked at any time.

If a new key is verified for some e-mail address, it will replace the previous one. This way, every e-mail address is only associated with a single key at most. It can also be removed from the listing at any time by the owner of the address. This is very useful for key discovery. If a search by e-mail address returns a key, it means this is the single key that is currently valid for the searched e-mail address.

In upcoming releases of Enigmail for Thunderbird as well as OpenKeychain on Android keysever will receive first-party support.

Find more info at!