Including non-selfsigs in WKD?

[Simon Josefsson]

Dashamir Hoxha via Gnupg-devel <gnupg-devel at lists.gnupg.org> writes:

> The question of publishing the signatures of a public key, along with the
> public key itself, is interesting. I never thought about it.
> Now that I think about it, it seems to me that it is completely up to the
> user how to export the key and how to publish it.

Yes, that's how it looks today, and we could leave it at that and let
users decide this themselves, probably guided by tutorials or
implementation defaults.  I changed my own way of doing things from
publishing a minimal key to one with signatures in it yesterday, so that
clients are able to get my non-self sigs in a reliable way now that key
servers are unreliable.

This feels a bit sub-optimal though.  I think if my suggested text was
in the specification, we would likely end up with a better world than
without the text: one where the OpenPGP web of trust is slightly more
likely to work.  I may be missing something though, so more discussion
would be good.

> I agree that these things should be discussed and explained somewhere, in
> user guides, tutorials, etc. But maybe not in the spec. The spec does not
> even mention the command `gpg --export`, how can it describe and detail
> export options?

The spec can speak about what data should go into the file, that's the
point of a specification.  It shouldn't speak about
implementation-specific commands of course.  Right now it says any
OpenPGP public key for the particular user is valid, but I don't think
it says anything either way about which sub-packets of that public key
are permitted, encouraged or forbidden in the WKD published data.

/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 255 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20220709/74aa7073/attachment.sig>