WKD: returns only one pubkey (and why)

[Andrew Gallagher]

On 14 Dec 2022, at 11:20, Dashamir Hoxha <dashohoxha at gmail.com> wrote:
> 
> If the signer wants the people to be able to verify his signature, then he can certainly include his ID on the signature. We can rely on this. The client that is trying to verify the signature can find both the key id and the user id, so he can construct a valid well-known url for retrieving the public key.

That’s not what I meant by “rely upon”. The sender subpacket is not mandatory, therefore we must still handle cases where it doesn’t exist.

>>> However, if we have such a directory service, then we can just list the url where the public key is located, so maybe we don't need a "well-known url" format.
>> 
>> 
>> Or we could just serve the key directly from the directory… ;-)
> 
> It is not the same, in my opinion, because you cannot delete the key from a keyserver, but you can delete the key from a web directory (which is under your control).

That depends on the keyserver. You can’t delete a key from sks-keysever, but almost nobody runs that any more. Other keyservers do implement some form of deletion (although the UX currently isn’t great).

A hypothetical “indirect" keyserver could send you to the authoritative source; or it could just cache the contents of the authoritative source and serve it directly (no less trustworthy, and slightly more robust).

A

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20221214/4b3717e7/attachment.html>