WKD shall we add distributing multible pubkeys? (Re: WKD: returns only one pubkey (and why))
Dashamir Hoxha
dashohoxha at gmail.com
Thu Dec 15 14:16:28 CET 2022
On Thu, Dec 15, 2022 at 1:47 PM Ingo Klöcker <kloecker at kde.org> wrote:
>
> You still haven't answered this crucial question:
> How do you know that you have to ask intevation.de for the key with the
> fingerprint (or key ID) 847FC5C4337D9CDBD473B7A60967FD258D6414F9 if all
> you
> know is the fingerprint (or key ID)?
>
I had doubts about this as well, but it was clarified that it is possible
to include the signer's userid in the signature:
https://lists.gnupg.org/pipermail/gnupg-devel/2022-December/035200.html
If you ask me, this should be the default option, because a signature
without a name does not make much sense. The problem might be that a key
may have several userid-s attached to it, and you don't know which one to
use, unless the user tells you.
Basically, the signer should use the option "--sender", like this:
`gpg --sign -a --sender alice at intevation.de file-to-be-signed`
Then the verifier will know both the key ID and the userid (email address
of the signer). From the userid you can derive that the domain of WKD
well-known url is "intevation.de".
This depends on the signer using the option "--sender" when he makes a
signature, but he has to use it if he wants his signature to be verified
automatically through the WKD well-known url (as well as publish his public
keys on the WKD).
Regards,
Dashamir
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20221215/69945faf/attachment.html>
More information about the Gnupg-devel
mailing list