Web Key Discovery

Bernhard Reiter bernhard at intevation.de
Fri Apr 6 10:08:57 CEST 2018

Am Dienstag 03 April 2018 13:02:17 schrieb Sam Bull:
> Why can't the web key discovery take the same approach?

Because we want to defend to some extend against an email provider 
manipulating the pubkeys it hands out for their users. Otherwise we are less 
end-to-end. Therefore we essentially assume that one email address is one 

In your case you want to controll all emails to one email domain, but have 
them pose as different identities. So to me its fine that WKD makes this a 
bit harder. (I don't know well enough, which problem you are trying to solve 
with this.)  

My suggestion is: As you are the only user on the server and completely 
controlling it: Add a new identity each time you create a new email alias
automatically on a server. If you want more security use a hardware token.
Note that someone how gets to control your server, could just create a new 
email aliases and a completely new keypair they control and divert emails 
send to you, so you cannot defend against all of these attacks anymay.


www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180406/7500b4e1/attachment-0001.sig>

More information about the Gnupg-devel mailing list