WKD proper behavior on fetch error
andre at colomb.de
Mon Jan 18 08:49:30 CET 2021
On 18/01/2021 00.43, Stefan Claas wrote:
> But what you say I was thinking about as well. My proposal was to include
> in the policy file fingerprint(s) of key(s) and generate an .ots file, from
> opentimestamps.org, from the policy file and put that .ots file somewhere.
> In the old days it was common, prior starting encrypted comms to compare
> fingerprints over other channels.
If you are coordinating the use of a separate channel to compare
fingerprints, you can also just coordinate where the public keys are to
be downloaded. As others have pointed out, it's even easier to set
up than WKD (no rules to follow). And if you're not using the whole
thing for e-mail, then you're probably not using an e-mail client with
automatic WKD retrieval. So there is no benefit of using WKD over
making up your own URL and telling that to your communication partners.
> And regarding secure domains, would you consider VPS servers secure
> too for WKD?
I don't know about the servers, my point was about the domain control.
Whoever can change the DNS records can just have them point to a
different server with their own (malicious) content. GitHub Pages as a
free web hosting service will certainly not give you the same security
guarantees as a hosting provider where you pay money to administer a
domain of your own.
> BTW. I did not received yet your reply for my two other accounts, hence the
> late reply.
Sorry, I don't quite understand. Would you like a reply to be addressed
directly in addition to the mailing list?
From: André Colomb <andre at colomb.de>
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users