Including non-selfsigs in WKD?
Simon Josefsson
simon at josefsson.org
Sat Jul 9 10:00:51 CEST 2022
Hi
I'm reading
https://datatracker.ietf.org/doc/html/draft-koch-openpgp-webkey-service-14
with the background that the OpenPGP web of trust has a problem that
many services now do not offer non-selfsig of the keys they return,
making it difficult to get hold of them and then build a web of trust
confidence in the key that was retrieved.
My hope was there would (or: could) be guidance on this matter in this
document, but I don't see any -- am I missing it?
I think it would be nice if this topic should be discussed in the
document, possibly as a security considerations and with
recommendations.
How about the following strawman that illustrate what I'm after?
OpenPGP keys can contain signatures from others, that may aid in
determining the trustworthyness of a certain key (the web of trust).
Including these signatures in the published file is therefor
RECOMMENDED. The primary reason for not doing so may be due to size
constraints or when permission to publish a third-party personal
identifier has not been granted.
What do you think?
/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 255 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20220709/a9eb5d28/attachment.sig>
More information about the Gnupg-devel
mailing list