Key Discovery Made Simple

Stephan Beck stebe at mailbox.org
Thu Sep 8 13:40:00 CEST 2016 

Hi Christopher,

Christopher Beck:
> Hi,
>
> just a (maybe) stupid question: the matching key to my recipient can be
> fetched by keyservers and i determine the korrect key of all of the
> (sometimes
> "wrong" keys") by vaidating the signatures according to the WoT.

 So, what's
> the benefit of this new key service? It sounds much more complicated
(and un-
> trusworthy) than just using the WoT.

Within the WoT the certificate chain relies on the ultimate fact that
you have physically met at least one WoT member in persona, and that
each of you has checked that the other's ID document is valid and that
the photo corresponds to him/her, and exchanged and verified the
fingerprints of your pubkeys (off-line key verification). Then you send
the signed key to the other person. As your pubkey is now signed by a
person of the WoT and his key signed by you (and you updated your keys
with the new signature(s) on a keyserver), you are also "associated"
with other members of the WoT that the WoT member is directly associated
with.
With the WKS [1] it is not necessary to (physically) have met a person
beforehand. The server (of the mail provider) checks that a key sent
with/from the generated submission address has a user ID that really
corresponds to a legitimate mail address (account) of the user on that
server of the provider by sending a message containing a nonce and the
fingerprint. After a successful verification the key is published.
There is no offline key exchange/verification, although you might think
of "WKS users" that then meet in person and, additionally, do that.


What you mean with "untrustworthy" is (1) that you have to trust the
mail provider setting up the wks service and (2) that there is no
initial step of offline key exchange/verification, don't you?
I think it's to push the mass usage of OpenPGP keys (given the fact that
the WoT grows at a speed that is too low) but you surely have to rely on
the mail provider's trustworthiness. But there is no obstacle for doing
an off-line verification afterwards.
But I'd also like to know more about possible weak points related to the
usage of WKS.

Stebe


[1]https://tools.ietf.org/id/draft-koch-openpgp-webkey-service-01.html

Christopher Beck:
> Hi,
> 
> just a (maybe) stupid question: the matching key to my recipient can be 
> fetched by keyservers and i determine the korrect key of all of the (sometimes 
> "wrong" keys") by vaidating the signatures according to the WoT. So, what's 
> the benefit of this new key service? It sounds much more complicated (and un-
> trusworthy) than just using the WoT.
> 
> Confused Greetings
> 
> Beckus
> 
> On Tuesday, 30 August 2016 16:39:15 CEST Werner Koch wrote:
>> Hi,
>>
>> I just published a writeup on how to setup the Web Key Service at
>> https://gnupg.org/blog/20160830-web-key-service.html
>>




-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x4218732B.asc
Type: application/pgp-keys
Size: 4091 bytes
Desc: not available
URL: </pipermail/attachments/20160908/4f4fb0a4/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160908/4f4fb0a4/attachment-0001.sig>

More information about the Gnupg-users mailing list