Including non-selfsigs in WKD?

Simon Josefsson simon at josefsson.org
Mon Jul 11 12:29:44 CEST 2022


Ingo Klöcker <kloecker at kde.org> writes:

> On Samstag, 9. Juli 2022 14:44:44 CEST Simon Josefsson via Gnupg-devel wrote:
>> Dashamir Hoxha via Gnupg-devel <gnupg-devel at lists.gnupg.org> writes:
>> > I agree that these things should be discussed and explained somewhere, in
>> > user guides, tutorials, etc. But maybe not in the spec. The spec does not
>> > even mention the command `gpg --export`, how can it describe and detail
>> > export options?
>> 
>> The spec can speak about what data should go into the file, that's the
>> point of a specification.  It shouldn't speak about
>> implementation-specific commands of course.  Right now it says any
>> OpenPGP public key for the particular user is valid, but I don't think
>> it says anything either way about which sub-packets of that public key
>> are permitted, encouraged or forbidden in the WKD published data.
>
> The preferred way to "export" the key data to publish via WKD (not by the 
> spec, but by WKD's inventor) is to use gpg-wks-client.

Does it export signatures of the key?

> The point of WKD is that your trust in the domain owner replaces the nerdy 
> web-of-trust. WKD is supposed to provide small keys, not gigantic keys with 
> 1000s of third-party signatures. But in the end it's up to you what you 
> publish. But don't expect gpg to import via WKD anything and everything you 
> publish, e.g. it strips all user IDs not matching the looked up email address 
> and it imports at most 5 keys.

Yes, stripping all user IDs not matching the looked up email is
important, but does it strip signatures from others for that user ID?
That doesn't make sense to me, and I'd be surprised if it did?

/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 255 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20220711/8f2da9ee/attachment.sig>


More information about the Gnupg-devel mailing list