hagrid should allow me to distribute identity information about one e-mail address connected to multiple certificates
I currently have two different OpenPGP certificates that have the same e-mail address in them, because I'm going through a key transition.
I'd like to be able to distribute both of those certificates through hagrid.
While I no longer use the old secret key for signing, old signed e-mail messages of mine still exist, and signed software releases that should be verified against the old certificate are still floating around.
As I understand it, once I confirm a new certificate with my current e-mail address with hagrid, hagrid will no longer distribute the "identity information" of my old certificate.
This makes verifying old e-mail messages and software packages difficult to do for peers of mine who use hagrid, because if they do a lookup by fingerprint or key ID, they won't get a valid TPK.
To fix this only for certificate retrieval by key ID or fingerprint, (leaving retrieval by e-mail address single-key), the user would need to decide which of their verified certificates are valid, and also select one of the valid, verified certificates as the "listed" certificate for their e-mail address.
Alternately, if we're willing to let retrieval by e-mail address return multiple certificates, then the user need only decide which of their verified certificates are valid. This is marginally better management UI than the paragraph above, but still clearly worse than the current "you only get one" constraint.
There also may be other (non-key-transition) situations where a user legitimately wants to have different certificates associated with their e-mail address, in which case limiting them to a single "listed" certificate would be problematic.
For example, I might have a software-signing certificate that i want to use with a project that i work on whose secret key is protected by hardware (and maybe has no encryption-capable subkey), while also having a different certificate that I use for regular e-mail (with an encryption-capable subkey, but where the signing-capable subkey is available unprotected to my MUA, and shouldn't be trusted for software verification). I might want to distribute both of these certificates via hagrid, and i might want hagrid to return them both when someone looks me up by e-mail address. (distinct subkey capabilities would be a better way to express this particular use case, but that's not part of OpenPGP right now :/ ).
If we allow multiple certificates to be returned from a query-by-e-mail-address, that would align with the "E-mail address lookup" interface described in the abuse-resistant keystore draft.