Good news! The HKP draft has been adopted by the IETF #OpenPGP Working Group, the first official step towards publication as an RFC 🤩

It is now known as draft-IETF-openpgp-hkp, which replaces draft-gallagher-openpgp-hkp, which itself replaced draft-shaw-openpgp-hkp.

It has been a long couple of decades 😂

https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-hkp

Exciting news from the coalface! The first beta of Hockeypuck 2.4 with PQC support is now live on https://test.pgpkeys.eu for public evaluation.

#OpenPGP is going post-quantum in 2026, and the #Hockeypuck #keyserver software is prepared to distribute post-quantum-safe OpenPGP certificates.

Hockeypuck 2.4-beta1 supports post-quantum-safe signing and encryption algorithms based on ML-DSA-65, ML-DSA-87, ML-KEM-768, and ML-KEM-1024, each used in hybrid mode with either curve25519 or curve448 ECC. These are the mandatory and recommended algorithms from the upcoming OpenPGP PQC spec [1].

In order to distribute the new primary (signing) keys safely, without adversely impacting older client software, they are only distributed over the HKPv2 API. Hockeypuck implements the `certs`, `index` and `prefixlog` endpoints as defined in the latest HKP draft spec [2]. These enable upload, download, and querying of PQC-enabled primary keys.

PQC encryption subkeys using ML-KEM-768 are also distributed over the legacy HKP interface if they are attached to a v4 primary key, because these are safely ignored by #GnuPG.

(GnuPG’s “kyber” algorithms are unfortunately not supported due to interoperability issues)

Hockeypuck 2.4 development has been kindly supported by @NGIZero Core.

[1] https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc
[2] https://datatracker.ietf.org/doc/html/draft-gallagher-openpgp-hkp

RE: https://mastodon.social/@protonprivacy/116521505054845875

Argh, Proton beat us to it! 😂

Congratulations to the Proton crypto team. We have been working closely with them for some years now to help improve the #OpenPGP ecosystem. Hockeypuck shares a Go cryptography library with ProtonMail's server-side codebase and we're continually working on enhancements.

Don't worry - PQC support in Hockeypuck will be shipped *very soon now* 😈 Watch this space!

We are pleased to announce the release of Hockeypuck 2.3.3.

This is a feature-preview release that partially implements https://github.com/hockeypuck/hockeypuck/wiki/HIP-013:-In%E2%80%90Band-Metadata-Sync-Using-Trust-Packets . It also fixes a bug due to stale entries in the PostgreSQL database.

Hockeypuck 2.3.3 adds support for the enumerableDomains configuration parameter. This is a list of domains for which the keyserver will return results when queried by UserID, even if the keys have been hard-revoked (https://hockeypuck.io/configuration.html#TOC_1.3). This mitigates a regression introduced in Hockeypuck 2.2, which meant that some organizational deployments did not reliably serve hard revocations.

There are no breaking changes between the 2.2 and 2.3 branches, and SKS sync is supported between 2.2 and 2.3 peers.

Release notes can be found at https://
github.com/hockeypuck/hockeypuck/releases/tag/2.3.3

Hockeypuck 2.3 development is kindly supported by @NGIZero Core

----

Hockeypuck is a modern synchronising #OpenPGP #keyserver that is optimised for ease of deployment, particularly in containerised environments via docker-compose.

https://
hockeypuck.io/
https://
github.com/hockeypuck/hockeypuck