WKD was Remove public key from keyserver

Werner Koch wk at gnupg.org
Tue Jan 16 19:51:17 CET 2018


On Tue, 16 Jan 2018 16:46, stefan.claas at posteo.de said:

> This part i do not understand... i send the rev cert or my updated key
> again to WKD and then i can search a regular key server for the updated

A revoked key does not make sense in the WKD.  Either the key exists and
proves that this is the intended key for the mail address or it does not
exist.  There is no real revocation service.  However, I would suggest
to also upload the key to the keyservers so that it is easy to get
revocation certificates and new subkeys from an independent party - no
need to rely for this on the mail provider.

We definitely want to refine some things there but that requires a wider
deployment.

> i have with posteo's WKD implementation is that their policy is pretty
> strict, which i personally don't like and i told them so. I would like

Posteo does only allows the mail address (addr-spec) and no real name in
the key for data protection reasons.  Thus a

 $ wget -O- posteo.de/.well-known/openpgpkey/policy 2>/dev/null
 # Policy for draft-koch-openpgp-webkey-service-04
 mailbox-only
 auth-submit

shows this policy flag.  If you upload your key using a tool employing
gpg-wks-client (e.g. Kmail or Enigmail) this policy will be detected and
if a plain addr-spec only user0id does not exists a new user-id will be
created and sent to posteo.

The real problem with Posteo is that they use invalid certificates for
all but the posteo.de domain.  Thus my posteo.net account does not work
because they redirect to posteo.de but do not include posteo.net in the
certificate for the initial access to posteo.net.  Bummer.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180116/cb519ac4/attachment.sig>


More information about the Gnupg-users mailing list