diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerifyOperation.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerifyOperation.java
index 8a0600159..88334e9af 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerifyOperation.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerifyOperation.java
@@ -209,7 +209,7 @@ public class PgpDecryptVerifyOperation extends BaseOperation<PgpDecryptVerifyInp
 
         int symmetricEncryptionAlgo = 0;
 
-        HashSet<Long> skippedDisallowedKeys = new HashSet<>();
+        HashSet<Long> skippedDisallowedEncryptionKeys = new HashSet<>();
         boolean insecureEncryptionKey = false;
 
         // convenience method to return with error
@@ -608,7 +608,7 @@ public class PgpDecryptVerifyOperation extends BaseOperation<PgpDecryptVerifyInp
                         if (!input.getAllowedKeyIds().contains(masterKeyId)) {
                             // this key is in our db, but NOT allowed!
                             // continue with the next packet in the while loop
-                            result.skippedDisallowedKeys.add(masterKeyId);
+                            result.skippedDisallowedEncryptionKeys.add(subKeyId);
                             log.add(LogType.MSG_DC_ASKIP_NOT_ALLOWED, indent + 1);
                             continue;
                         }
@@ -817,10 +817,12 @@ public class PgpDecryptVerifyOperation extends BaseOperation<PgpDecryptVerifyInp
                 return result.with(new DecryptVerifyResult(DecryptVerifyResult.RESULT_NO_DATA, log));
             }
             // there was data but key wasn't allowed
-            if (!result.skippedDisallowedKeys.isEmpty()) {
+            if (!result.skippedDisallowedEncryptionKeys.isEmpty()) {
                 log.add(LogType.MSG_DC_ERROR_NO_KEY, indent + 1);
-                long[] skippedDisallowedKeys = KeyFormattingUtils.getUnboxedLongArray(result.skippedDisallowedKeys);
-                return result.with(new DecryptVerifyResult(DecryptVerifyResult.RESULT_KEY_DISALLOWED, log, skippedDisallowedKeys));
+                long[] skippedDisallowedEncryptionKeys =
+                        KeyFormattingUtils.getUnboxedLongArray(result.skippedDisallowedEncryptionKeys);
+                return result.with(new DecryptVerifyResult(
+                        DecryptVerifyResult.RESULT_KEY_DISALLOWED, log, skippedDisallowedEncryptionKeys));
             }
             // no packet has been found where we have the corresponding secret key in our db
             log.add(LogType.MSG_DC_ERROR_NO_KEY, indent + 1);
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ApiPendingIntentFactory.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ApiPendingIntentFactory.java
index 754f64e35..c8838d86c 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ApiPendingIntentFactory.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ApiPendingIntentFactory.java
@@ -17,6 +17,9 @@
 
 package org.sufficientlysecure.keychain.remote;
 
+
+import java.util.ArrayList;
+
 import android.app.PendingIntent;
 import android.content.Context;
 import android.content.Intent;
@@ -37,8 +40,6 @@ import org.sufficientlysecure.keychain.service.input.CryptoInputParcel;
 import org.sufficientlysecure.keychain.service.input.RequiredInputParcel;
 import org.sufficientlysecure.keychain.ui.ViewKeyActivity;
 
-import java.util.ArrayList;
-
 public class ApiPendingIntentFactory {
 
     Context mContext;
@@ -103,10 +104,10 @@ public class ApiPendingIntentFactory {
         return createInternal(data, intent);
     }
 
-    PendingIntent createRequestKeyPermissionPendingIntent(Intent data, String packageName, long masterKeyId) {
+    PendingIntent createRequestKeyPermissionPendingIntent(Intent data, String packageName, long[] masterKeyIds) {
         Intent intent = new Intent(mContext, RequestKeyPermissionActivity.class);
         intent.putExtra(RequestKeyPermissionActivity.EXTRA_PACKAGE_NAME, packageName);
-        intent.putExtra(RequestKeyPermissionActivity.EXTRA_REQUESTED_KEY_ID, masterKeyId);
+        intent.putExtra(RequestKeyPermissionActivity.EXTRA_REQUESTED_KEY_IDS, masterKeyIds);
 
         return createInternal(data, intent);
     }
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/OpenPgpService.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/OpenPgpService.java
index e1b4de001..816f80600 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/OpenPgpService.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/OpenPgpService.java
@@ -19,6 +19,15 @@
 package org.sufficientlysecure.keychain.remote;
 
 
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.List;
+
 import android.app.PendingIntent;
 import android.app.Service;
 import android.content.Intent;
@@ -66,15 +75,6 @@ import org.sufficientlysecure.keychain.util.InputData;
 import org.sufficientlysecure.keychain.util.Log;
 import org.sufficientlysecure.keychain.util.Passphrase;
 
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.Date;
-import java.util.HashSet;
-import java.util.List;
-
 public class OpenPgpService extends Service {
     public static final int API_VERSION_WITH_RESULT_METADATA = 4;
     public static final int API_VERSION_WITH_KEY_REVOKED_EXPIRED = 5;
@@ -393,16 +393,15 @@ public class OpenPgpService extends Service {
                 result.putExtra(OpenPgpApi.RESULT_CODE, OpenPgpApi.RESULT_CODE_SUCCESS);
                 return result;
             } else {
-                long[] skippedDisallowedKeys = pgpResult.getSkippedDisallowedKeys();
-                if (pgpResult.isKeysDisallowed() && skippedDisallowedKeys.length > 0) {
-                    long masterKeyId = skippedDisallowedKeys[0];
-
+                long[] skippedDisallowedEncryptionKeys = pgpResult.getSkippedDisallowedKeys();
+                if (pgpResult.isKeysDisallowed() &&
+                        skippedDisallowedEncryptionKeys != null && skippedDisallowedEncryptionKeys.length > 0) {
                     // allow user to select allowed keys
                     Intent result = new Intent();
                     String packageName = mApiPermissionHelper.getCurrentCallingPackage();
                     result.putExtra(OpenPgpApi.RESULT_INTENT,
                             mApiPendingIntentFactory.createRequestKeyPermissionPendingIntent(
-                                    data, packageName, masterKeyId));
+                                    data, packageName, skippedDisallowedEncryptionKeys));
                     result.putExtra(OpenPgpApi.RESULT_CODE, OpenPgpApi.RESULT_CODE_USER_INTERACTION_REQUIRED);
                     return result;
                 }
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/RequestKeyPermissionActivity.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/RequestKeyPermissionActivity.java
index 6b4782d97..0296e9b48 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/RequestKeyPermissionActivity.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/RequestKeyPermissionActivity.java
@@ -37,7 +37,6 @@ import android.widget.ImageView;
 import android.widget.TextView;
 
 import org.openintents.openpgp.util.OpenPgpUtils.UserId;
-import org.sufficientlysecure.keychain.Constants;
 import org.sufficientlysecure.keychain.R;
 import org.sufficientlysecure.keychain.remote.ui.RequestKeyPermissionPresenter.RequestKeyPermissionMvpView;
 import org.sufficientlysecure.keychain.ui.dialog.CustomAlertDialogBuilder;
@@ -46,7 +45,7 @@ import org.sufficientlysecure.keychain.ui.util.ThemeChanger;
 
 public class RequestKeyPermissionActivity extends FragmentActivity {
     public static final String EXTRA_PACKAGE_NAME = "package_name";
-    public static final String EXTRA_REQUESTED_KEY_ID = "requested_key_id";
+    public static final String EXTRA_REQUESTED_KEY_IDS = "requested_key_ids";
 
 
     private RequestKeyPermissionPresenter presenter;
@@ -70,9 +69,9 @@ public class RequestKeyPermissionActivity extends FragmentActivity {
 
         Intent intent = getIntent();
         String packageName = intent.getStringExtra(EXTRA_PACKAGE_NAME);
-        long masterKeyId = intent.getLongExtra(EXTRA_REQUESTED_KEY_ID, Constants.key.none);
+        long masterKeyIds[] = intent.getLongArrayExtra(EXTRA_REQUESTED_KEY_IDS);
 
-        presenter.setupFromIntentData(packageName, masterKeyId);
+        presenter.setupFromIntentData(packageName, masterKeyIds);
     }
 
     public static class RequestKeyPermissionFragment extends DialogFragment {
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/RequestKeyPermissionPresenter.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/RequestKeyPermissionPresenter.java
index 82b7cdb64..b4de0fe7d 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/RequestKeyPermissionPresenter.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/RequestKeyPermissionPresenter.java
@@ -6,14 +6,18 @@ import android.content.pm.ApplicationInfo;
 import android.content.pm.PackageManager;
 import android.content.pm.PackageManager.NameNotFoundException;
 import android.graphics.drawable.Drawable;
+import android.support.annotation.Nullable;
 
 import org.openintents.openpgp.util.OpenPgpUtils.UserId;
 import org.sufficientlysecure.keychain.Constants;
 import org.sufficientlysecure.keychain.R;
+import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKey.SecretKeyType;
 import org.sufficientlysecure.keychain.pgp.exception.PgpKeyNotFoundException;
 import org.sufficientlysecure.keychain.provider.ApiDataAccessObject;
 import org.sufficientlysecure.keychain.provider.CachedPublicKeyRing;
+import org.sufficientlysecure.keychain.provider.KeychainContract.KeyRings;
 import org.sufficientlysecure.keychain.provider.ProviderHelper;
+import org.sufficientlysecure.keychain.provider.ProviderHelper.NotFoundException;
 import org.sufficientlysecure.keychain.remote.ApiPermissionHelper;
 import org.sufficientlysecure.keychain.remote.ApiPermissionHelper.WrongPackageCertificateException;
 import org.sufficientlysecure.keychain.util.Log;
@@ -29,29 +33,33 @@ class RequestKeyPermissionPresenter {
 
     private String packageName;
     private long masterKeyId;
+    private ProviderHelper providerHelper;
 
 
     static RequestKeyPermissionPresenter createRequestKeyPermissionPresenter(Context context) {
         PackageManager packageManager = context.getPackageManager();
         ApiDataAccessObject apiDataAccessObject = new ApiDataAccessObject(context);
         ApiPermissionHelper apiPermissionHelper = new ApiPermissionHelper(context, apiDataAccessObject);
+        ProviderHelper providerHelper = new ProviderHelper(context);
 
-        return new RequestKeyPermissionPresenter(context, apiDataAccessObject, apiPermissionHelper, packageManager);
+        return new RequestKeyPermissionPresenter(context, apiDataAccessObject, apiPermissionHelper, packageManager,
+                providerHelper);
     }
 
     private RequestKeyPermissionPresenter(Context context, ApiDataAccessObject apiDataAccessObject,
-            ApiPermissionHelper apiPermissionHelper, PackageManager packageManager) {
+            ApiPermissionHelper apiPermissionHelper, PackageManager packageManager, ProviderHelper providerHelper) {
         this.context = context;
         this.apiDataAccessObject = apiDataAccessObject;
         this.apiPermissionHelper = apiPermissionHelper;
         this.packageManager = packageManager;
+        this.providerHelper = providerHelper;
     }
 
     void setView(RequestKeyPermissionMvpView view) {
         this.view = view;
     }
 
-    void setupFromIntentData(String packageName, long masterKeyId) {
+    void setupFromIntentData(String packageName, long[] masterKeyIds) {
         checkPackageAllowed(packageName);
 
         try {
@@ -62,25 +70,58 @@ class RequestKeyPermissionPresenter {
             return;
         }
 
-        this.packageName = packageName;
-        this.masterKeyId = masterKeyId;
         try {
-            CachedPublicKeyRing cachedPublicKeyRing = new ProviderHelper(context).getCachedPublicKeyRing(masterKeyId);
-
-            UserId userId = cachedPublicKeyRing.getSplitPrimaryUserIdWithFallback();
-            view.displayKeyInfo(userId);
-
-            if (cachedPublicKeyRing.hasAnySecret()) {
-                view.switchToLayoutRequestKeyChoice();
-            } else {
-                view.switchToLayoutNoSecret();
-            }
+            setRequestedMasterKeyId(masterKeyIds);
         } catch (PgpKeyNotFoundException e) {
             view.finishAsCancelled();
         }
     }
 
+    private void setRequestedMasterKeyId(long[] subKeyIds) throws PgpKeyNotFoundException {
+        CachedPublicKeyRing secretKeyRingOrPublicFallback = findSecretKeyRingOrPublicFallback(subKeyIds);
+
+        if (secretKeyRingOrPublicFallback == null) {
+            throw new PgpKeyNotFoundException("No key found among requested!");
+        }
+
+        this.masterKeyId = secretKeyRingOrPublicFallback.getMasterKeyId();
+
+        UserId userId = secretKeyRingOrPublicFallback.getSplitPrimaryUserIdWithFallback();
+        view.displayKeyInfo(userId);
+
+        if (secretKeyRingOrPublicFallback.hasAnySecret()) {
+            view.switchToLayoutRequestKeyChoice();
+        } else {
+            view.switchToLayoutNoSecret();
+        }
+    }
+
+    @Nullable
+    private CachedPublicKeyRing findSecretKeyRingOrPublicFallback(long[] subKeyIds) {
+        CachedPublicKeyRing publicFallbackRing = null;
+        for (long candidateSubKeyId : subKeyIds) {
+            try {
+                CachedPublicKeyRing cachedPublicKeyRing = providerHelper.getCachedPublicKeyRing(
+                        KeyRings.buildUnifiedKeyRingsFindBySubkeyUri(candidateSubKeyId)
+                );
+
+                SecretKeyType secretKeyType = cachedPublicKeyRing.getSecretKeyType(candidateSubKeyId);
+                if (secretKeyType.isUsable()) {
+                    return cachedPublicKeyRing;
+                }
+                if (publicFallbackRing == null) {
+                    publicFallbackRing = cachedPublicKeyRing;
+                }
+            } catch (PgpKeyNotFoundException | NotFoundException e) {
+                // no matter
+            }
+        }
+        return publicFallbackRing;
+    }
+
     private void setPackageInfo(String packageName) throws NameNotFoundException {
+        this.packageName = packageName;
+
         ApplicationInfo applicationInfo = packageManager.getApplicationInfo(packageName, 0);
         Drawable appIcon = packageManager.getApplicationIcon(applicationInfo);
         CharSequence appName = packageManager.getApplicationLabel(applicationInfo);