Including non-selfsigs in WKD?

Dashamir Hoxha dashohoxha at gmail.com
Sat Jul 9 12:31:45 CEST 2022 

On Sat, Jul 9, 2022 at 11:09 AM Simon Josefsson via Gnupg-devel <
gnupg-devel at lists.gnupg.org> wrote:

> Hi
>
> I'm reading
>
> https://datatracker.ietf.org/doc/html/draft-koch-openpgp-webkey-service-14
>
> with the background that the OpenPGP web of trust has a problem that
> many services now do not offer non-selfsig of the keys they return,
> making it difficult to get hold of them and then build a web of trust
> confidence in the key that was retrieved.
>

The question of publishing the signatures of a public key, along with the
public key itself, is interesting. I never thought about it.
Now that I think about it, it seems to me that it is completely up to the
user how to export the key and how to publish it.
For example, instead of using a command like:

    gpg --no-armor --export \
            user at example.org > nmxk159crbcuk3imqiw13gkjmfwd8mqj

You can use a command like this to avoid exporting any signatures:

    gpg --no-armor --export \
            --export-options export-minimal \
            user at example.org > nmxk159crbcuk3imqiw13gkjmfwd8mqj

By default, the signatures are exported with the public key. Or you can use
the option "export-clean" instead, in order to avoid exporting the
signatures that are not usable.
For more details see:
https://www.gnupg.org/documentation/manuals/gnupg/GPG-Input-and-Output.html

My hope was there would (or: could) be guidance on this matter in this
> document, but I don't see any -- am I missing it?
>
> I think it would be nice if this topic should be discussed in the
> document, possibly as a security considerations and with
> recommendations.
>
> How about the following strawman that illustrate what I'm after?
>
>   OpenPGP keys can contain signatures from others, that may aid in
>   determining the trustworthyness of a certain key (the web of trust).
>   Including these signatures in the published file is therefor
>   RECOMMENDED.  The primary reason for not doing so may be due to size
>   constraints or when permission to publish a third-party personal
>   identifier has not been granted.
>
> What do you think?
>

I agree that these things should be discussed and explained somewhere, in
user guides, tutorials, etc. But maybe not in the spec. The spec does not
even mention the command `gpg --export`, how can it describe and detail
export options?

Regards,
Dashamir
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20220709/d413cf1b/attachment.html>

More information about the Gnupg-devel mailing list