Have you considered using Web Key Directory [0] for initial key lookup? Usually someone wants a key for a given email address (e.g. example@firstlook.media) and WKD solves just that. This is natively supported by GnuPG and some email clients (Enigmail in Thunderbird).
Do you use signatures and ownertrust so that the users' keys appear as "valid"? Or is that user's responsibility to sign the authority key and mark is as fully trusted?
[0]: https://wiki.gnupg.org/WKD
Do you use signatures and ownertrust so that the users' keys appear as "valid"? Or is that user's responsibility to sign the authority key and mark is as fully trusted?