WKD proper behavior on fetch error

André Colomb andre at colomb.de
Mon Jan 18 08:49:30 CET 2021


On 18/01/2021 00.43, Stefan Claas wrote:
> But what you say I was thinking about as well. My proposal was to include
> in the policy file fingerprint(s) of key(s) and generate an .ots file, from
> opentimestamps.org, from the policy file and put that .ots file somewhere.
> In the old days it was common, prior starting encrypted comms to compare
> fingerprints over other channels.

If you are coordinating the use of a separate channel to compare
fingerprints, you can also just coordinate where the public keys are to
be downloaded.  As others have pointed out[1], it's even easier to set
up than WKD (no rules to follow).  And if you're not using the whole
thing for e-mail, then you're probably not using an e-mail client with
automatic WKD retrieval.  So there is no benefit of using WKD over
making up your own URL and telling that to your communication partners.

[1]: https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064633.html

> And regarding secure domains, would you consider VPS servers secure
> too for WKD?

I don't know about the servers, my point was about the domain control.
Whoever can change the DNS records can just have them point to a
different server with their own (malicious) content.  GitHub Pages as a
free web hosting service will certainly not give you the same security
guarantees as a hosting provider where you pay money to administer a
domain of your own.

> BTW. I did not received yet your reply for my two other accounts, hence the
> late reply.

Sorry, I don't quite understand.  Would you like a reply to be addressed
directly in addition to the mailing list?

Kind regards
André

-- 
Greetings...
From: André Colomb <andre at colomb.de>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210118/02594a3a/attachment.sig>


More information about the Gnupg-users mailing list