From the GitHub wiki, an org specifies a key that is used to sign a list of all other keys, which is then distributed over HTTP. Quite similar to a private key server, but doesn't require running special server software I guess?