<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Jul 9, 2022 at 11:09 AM Simon Josefsson via Gnupg-devel <<a href="mailto:gnupg-devel@lists.gnupg.org">gnupg-devel@lists.gnupg.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi<br>
<br>
I'm reading<br>
<br>
<a href="https://datatracker.ietf.org/doc/html/draft-koch-openpgp-webkey-service-14" rel="noreferrer" target="_blank">https://datatracker.ietf.org/doc/html/draft-koch-openpgp-webkey-service-14</a><br>
<br>
with the background that the OpenPGP web of trust has a problem that<br>
many services now do not offer non-selfsig of the keys they return,<br>
making it difficult to get hold of them and then build a web of trust<br>
confidence in the key that was retrieved.<br></blockquote><div><br></div><div>The question of publishing the signatures of a public key, along with the public key itself, is interesting. I never thought about it.</div><div>Now that I think about it, it seems to me that it is completely up to the user how to export the key and how to publish it.</div><div>For example, instead of using a command like:</div><div><br></div><div> gpg --no-armor --export \</div><div> <a href="mailto:user@example.org">user@example.org</a> > nmxk159crbcuk3imqiw13gkjmfwd8mqj</div><div><br></div><div>You can use a command like this to avoid exporting any signatures:</div><div><br></div><div> gpg --no-armor --export \</div><div> --export-options export-minimal \</div><div> <a href="mailto:user@example.org">user@example.org</a> > nmxk159crbcuk3imqiw13gkjmfwd8mqj</div><div><br></div><div>By default, the signatures are exported with the public key. Or you can use the option "export-clean" instead, in order to avoid exporting the signatures that are not usable.</div><div>For more details see: <a href="https://www.gnupg.org/documentation/manuals/gnupg/GPG-Input-and-Output.html">https://www.gnupg.org/documentation/manuals/gnupg/GPG-Input-and-Output.html</a></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
My hope was there would (or: could) be guidance on this matter in this<br>
document, but I don't see any -- am I missing it?<br>
<br>
I think it would be nice if this topic should be discussed in the<br>
document, possibly as a security considerations and with<br>
recommendations.<br>
<br>
How about the following strawman that illustrate what I'm after?<br>
<br>
OpenPGP keys can contain signatures from others, that may aid in<br>
determining the trustworthyness of a certain key (the web of trust).<br>
Including these signatures in the published file is therefor<br>
RECOMMENDED. The primary reason for not doing so may be due to size<br>
constraints or when permission to publish a third-party personal<br>
identifier has not been granted.<br>
<br>
What do you think?<br></blockquote><div><br></div><div>I agree that these things should be discussed and explained somewhere, in user guides, tutorials, etc. But maybe not in the spec. The spec does not even mention the command `gpg --export`, how can it describe and detail export options?</div><div><br></div><div>Regards,</div><div>Dashamir</div><div><br></div></div></div>