WKD: returns only one pubkey (and why)

Bernhard Reiter bernhard at intevation.de
Thu Feb 23 16:53:31 CET 2023


Am Freitag 27 Januar 2023 09:13:15 schrieb Simon Josefsson via Gnupg-devel:
> my goal is to come up with the best/safest text to write in a software
> release on how to verify OpenPGP signatures for the tarball.
>
> Currently I'm using the text below, which recommends 'gpg
> --locate-external-key' as the preferred mechanism and normally that uses
> WKD and will try to refresh the key from the server (otherwise people
> get old cached keys from local key storage).  I like the simplicity and
> UX of this approach. 

If the email address has the same domain as the downloading domain
of the package, it all is controlled by the same entity. It would make more 
sense to have a second paths to building trust in a public key.

One source of trust would be that you already have an old pub key from a 
previous download.

Another practice I hope to establish is that clients will from time to time 
query a keyserver about the pubkey to have a chance to see if there is a 
revokation for the pubkey, they'll get from the email provider and to have a 
chance to detect malicious acts by the email provider itself.

> This mechanism must be able to retrieve all 
> currently valid keys for a particular e-mail address, otherwise people
> will complain not finding the right key.

This only is a problem if an old tarball is to be verified.
One way to build trust could be to get the new, current, recommended pubkey 
from the WKD and then retrieve the other pubkey from a keyserver
and a signature from the WKD pubkey. Would only work if keyserver
would carry 3rd party signatures again.

> Second to using the e-mail, maybe retrieving by key id should be
> preferred because that is more stable.  However there aren't really any
> stable working keyid-based OpenPGP key search engines left, are there?

Sure, a number of them:
  https://spider.pgpkeys.eu/
e.g.
  https://keyserver2.gnupg.org/

Bernhard
-- 
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20230223/f985de22/attachment.sig>


More information about the Gnupg-devel mailing list