Skip to content

Refresh OpenPGP Certificates from the Internet

WKD, HKP, DANE/OPENPGPKEY, oh my!

perhaps a sop-based application wants to talk to the Internet to refresh some certificates it already has a copy of.

sop refresh-certs-from-network < CERTS > CERTS

This is mostly a provocation at this point (sop has never spoken to the network before), but hopefully it's also a starting point for a discussion.

The application using sop might want to check for revocations, new User IDs, new subkeys, updates to expiration, etc. It probably does not want to fetch entirely new certificates (though maybe it would be OK to do so if there was a valid "replacement key" indicator linking the two?)

What are the reasonable choices that a sop implementation can make here? can we specify this minimally enough that implementations can compete on feature completeness and on privacy at the same time?