WKD: returns only one pubkey (and why)

Neal H. Walfield neal at walfield.org
Fri Dec 9 20:29:14 CET 2022


On Fri, 09 Dec 2022 17:39:24 +0100,
Andrew Gallagher via Gnupg-devel wrote:
> WKD is not useful for verifying signatures, as it does not support key discovery by fingerprint, only by email. In order to verify an arbitrary signature you must either look up the key by
> fingerprint on a keyserver that supports it, or distribute a trusted-signers keyring in advance, e.g. by installing a keyring package.

A signature can include the 'Signer's User ID' subpacket.  If that is
included in the signature, then it is possible to use WKD to lookup
the certificate.

  https://www.rfc-editor.org/rfc/rfc4880#section-5.2.3.22

Further, it makes sense to follow up a key server lookup with other
lookups like WKD to make it harder for an attacker to withhold some of
the certificate (e.g., a revocation).

Neal



More information about the Gnupg-devel mailing list