(decryption_chapter)=
# Decryption

```{admonition} TODO
:class: warning

  - using expired certificate?
  - using revoked certificate?
  - using expired subkey?
  - using revoked subkey?
```

## Advanced topics

### Selecting decryption key

- Trying PKESKs until one works out
- consider "smart" strategies

additional wrinkle: hidden intended decryption key (`gnupg --throw-keyid`)
 
also see:

https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#pkesk-notes

> An implementation MAY accept or use a Key ID of all zeros, or an omitted key fingerprint, to hide the intended decryption key