Order of lookup methods in --auto-key-retrieve
Werner Koch
wk at gnupg.org
Mon Jul 1 19:29:39 CEST 2019
On Sun, 30 Jun 2019 21:36, gnupg-devel at gnupg.org said:
> The code checks first the keyserver and then the WKD domain. I guess
> this is to limit the number of IP-leaking queries and prefer trusted
> keyserver.
Right that was one idea. The other reason is that it is not possible to
lookup a key from the WKD using a fingerprint. Before rfc-4880bis added
the /Issuer Fingerprint/ to signatures we only had the /Issuer's User
ID/ information in a signature to lookup a key. With 2.1.13 we added
the latter to all signatures if possible so to make --auto-key-retrieve
working.
I guess we should keep this information to prefer updating via WKD.
> I'm wondering if reversing the order (first WKD, then keyserver)
> wouldn't be a better option. The current mechanism is not perfect, so
Agreed.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20190701/4f91b1e2/attachment.sig>
More information about the Gnupg-devel
mailing list