WKD & Sequoia

Erich Eckner gnupg at eckner.net
Wed Jan 13 21:55:51 CET 2021 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Wed, 13 Jan 2021, Juergen Bruckner via Gnupg-users wrote:

> Hello Stefan!

Hi all,

>
>
> [...]
>> sequoia did the right step and I hope for people relying on GnuPG that
>> it is possible for them in the future too.
>
> So did Sequoia do that?
> You consider not to follow policies "the right step"?
> Sorry, but you dont have a clue about security!
>
> The only right way is to follow policies word by word.

That is certainly correct. But: WKD is "just" a draft, so it's open to 
suggestions for change. "Ignore invalid certificates of the advanced URL" 
is one suggestion.

In my view, this whole, lengthy thread boils down to the question, whether 
we want that or we don't want that.

Let me share my two cents:

I *feel*, like invalid certificates of advanced WKD URLs should not be 
ignored, because this indicates, something is not as it should be (e.g. it 
is "unclean"). The fact, that this might slow down WKD deployment, because 
it makes the dns setup *slightly* harder, stands against this feeling.

btw: I just recently changed (motivated by this thread) from the direct to 
the advanced method of WKD deployment, eliminating the need for a reverse 
proxy on archlinux32.org - and the need for a "no-wildcard" TXT record on 
openpgpkey.archlinux32.org. ... why on earth did I set it up with the 
direct method in the first place? ;-)

regards,
Erich

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl//XlgACgkQCu7JB1Xa
e1rm+Q/+ImdVv9mimg7aRC5aceS/iYqqZwUhWdvVZEs6s/9bVJf1Ur1MyhoySU2U
BhDZknlwJY9UUw54x1Pk2wASABlzpcpr2XmTLmgmpBr3ti3nMkhK/fDLT537EOlz
H8ngzdUA/Hj3suGlhfMgGoUyh2PDsF9N3y3mPVKs0ym7qWaPwSc6NPi05pKzetYk
Y4qPIezFD8vX3dWUJTShVgppdusWtekKmPJ8oFAb+J+Ccwc+G/oaTysfH2X5azF9
YOnWb5Sed61fqynPjTFcJ5uTwCnxl9e96plCaw2kricBGoH+/siskO0KYZ0aWGrB
5b4vKDJd+gmu8Iwb3vKSKUsFpK5ek9M9IThGKA8etNYjYDkLzWTmXjZ3+HjvaF/+
zf+koPNWZIPmd6g2HMGyM5k7nftfg3Qze8NDDvR1JN68+0kKxdMl5Hf0OAZ0Babj
luRqFcLw8rLZWd93DsiTevYMFa3vTnao2S0fHgoBpgCeTpeW/euDJWKH/0N8Bnjk
zarOhDXSDJQZEi76zIgicE7eWY7VgYJcf3xolAmuA90Qf7UOdor5Ub4KWLgrMgQd
NTwsP7tqrXougtcmIoe7MXTdiacO7bSKxPso7z3e53FeDH+pvO9j8q8T99zWSvFR
JXVxAZ8dTO3INA7GwLAY2pa5IY8WTeJCSh0fj0P+QArezFd1NeA=
=tA3p
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list