WKD vs VV and VVV

[Bernhard Reiter]

Am Mittwoch 25 April 2018 17:41:52 schrieb Werner Koch:
> On Wed, 25 Apr 2018 08:49, bernhard at intevation.de said:
> >   ** no distribution of old pubkeys for old signatures.
> >      This may be a valid use case once the main use cases are solved.
>
> That is why we suggest to also upload keys to a keyserver.  Signatures
> carry the full fingerprint and thus the key can easily be retrieved from
> any keyserver.  The Web Key Directory is mainly for the _initial_ key
> discovery.

It seems that many people see value in the security goal of not publishing 
their email address to something like an open public keyserver.
I guess your position is that this has no value. From my point of view it has 
some value, though just a little bit. Thus is why I think ideally there 
should not be a default upload to public keyserver if we have WKD from the 
email provider. We should be able to get by without it. Anyways, this is not 
the major use case to solve, as you correctly point out.

> >   ** Because no authentication is needed when submitting a pubkey via
> > SMTP, it shall be possible to use this management servive as
> >      email-address-dossier.
> >      This is something I don't understand as WKD is not walkable.
>
> Wrong.  The mail provider sends the mail back to the legitimate owner of
> the address and not to the sender.  That is the whole point of all mail
> verification systems.

Yes, this is why I did not understand the point given in their description.

Best Regards,
Bernhard


-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180426/53283dc5/attachment.sig>