Including non-selfsigs in WKD?

Ingo Klöcker kloecker at kde.org
Sun Jul 10 19:04:33 CEST 2022 

On Sonntag, 10. Juli 2022 13:11:50 CEST Dashamir Hoxha wrote:
> On Sun, Jul 10, 2022 at 10:27 AM Ingo Klöcker <kloecker at kde.org> wrote:.
> 
> > The preferred way to "export" the key data to publish via WKD (not by the
> > spec, but by WKD's inventor) is to use gpg-wks-client.
> 
> WKD and WKS are different things (as far as I know), so "gpg-wks-client" is
> probably not a suitable name for the tool. It may cause some confusion to
> the users.

Well, WKS is a service providing keys via the WKD protocol. gpg-wks-client is 
meant to be used with a WKS. Hence its name. Incidentally, it provides a 
command for exporting a key suitable for uploading to a WKS (or some other WKD 
provider).

> > The point of WKD is that your trust in the domain owner replaces the nerdy
> > web-of-trust. WKD is supposed to provide small keys, not gigantic keys
> > with
> 
> My understanding is that the point of WKD is to make public keys
> discoverable automatically, thus being an alternative (or replacement) for
> the keyserver infrastructure.
> I don't see why it should replace the web-of-trust, even if it is nerdy.

It doesn't replace it, but, depending on your trust model, i.e. if you trust 
the domain owner that only people controlling a certain email address for that 
domain can upload OpenPGP keys for this email address, it can make the web-of-
trust superfluous.

> Also I don't see why the keys should be small, as long as their size is
> under the user's control.

Because I don't want to download 1000s of certifications by third-parties I 
don't even know. But do as you wish.

> > publish. But don't expect gpg to import via WKD anything and everything
> > you
> > publish, e.g. it strips all user IDs not matching the looked up email
> > address
> > and it imports at most 5 keys.
> 
> Maybe it makes sense, but I still don't understand why it should strip the
> other user IDs, even if they are useless or redundant.

Because WKD is a proof-of-control over an email address (if the domain owner 
does it right). gpg takes note from where it imported a key/user ID and in the 
future it might add a trust model that gives user IDs retrieved via WKD more 
than "unknown" validity. Moreover, it prevents users from being tricked into 
using wrong keys for some email addresses.

> Also I don't understand the meaning of "it imports at most 5 keys",

The "meaning" can be found in the source code. The code doing the import 
simply ignores the rest of the data after five keys have been imported.

> and why such a limit is necessary (or why it is a good practice).

Why would you want to provide more than five keys for the same email address? 
gpg will only ever use one of those keys when encrypting a message to some 
email address. By the way, WKD recommends to provide only a single key. The 
exception is also providing some older key(s) to ease certificate rollover.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20220710/9599547c/attachment.sig>

More information about the Gnupg-devel mailing list