Web Key Discovery

Peter Lebbing peter at digitalbrains.com
Fri Apr 6 18:05:16 CEST 2018


On 06/04/18 16:55, Sam Bull wrote:
> Right, but likewise, what if WKD decides a key is valid, but it has
> multiple user IDs, then once again I could receive a "valid" key with
> a user ID that doesn't belong to them and have the same issue.

1) WKD should offer a key with a single UID.
2) Validity refers to UID's, not to complete certificates. Even if there
is some other UID on the certificate, TOFU would only validate the UID
that it has seen a mapping for.

> At this point, there is no advantage to the user ID matching the
> address, as you are individually storing the addresses you have
> validated the key for.

You validate a relation between an e-mail address in a UID and a key. If
you change the e-mail address, there is no UID to validate, there is no
relation, nothing.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180406/6abfc53c/attachment.sig>


More information about the Gnupg-devel mailing list