WKD & Sequoia
gnupg at eckner.net
Wed Jan 13 21:55:51 CET 2021
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 13 Jan 2021, Juergen Bruckner via Gnupg-users wrote:
> Hello Stefan!
>> sequoia did the right step and I hope for people relying on GnuPG that
>> it is possible for them in the future too.
> So did Sequoia do that?
> You consider not to follow policies "the right step"?
> Sorry, but you dont have a clue about security!
> The only right way is to follow policies word by word.
That is certainly correct. But: WKD is "just" a draft, so it's open to
suggestions for change. "Ignore invalid certificates of the advanced URL"
is one suggestion.
In my view, this whole, lengthy thread boils down to the question, whether
we want that or we don't want that.
Let me share my two cents:
I *feel*, like invalid certificates of advanced WKD URLs should not be
ignored, because this indicates, something is not as it should be (e.g. it
is "unclean"). The fact, that this might slow down WKD deployment, because
it makes the dns setup *slightly* harder, stands against this feeling.
btw: I just recently changed (motivated by this thread) from the direct to
the advanced method of WKD deployment, eliminating the need for a reverse
proxy on archlinux32.org - and the need for a "no-wildcard" TXT record on
openpgpkey.archlinux32.org. ... why on earth did I set it up with the
direct method in the first place? ;-)
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users