WKD proper behavior on fetch error

Ángel angel at pgp.16bits.net
Tue Jan 19 02:33:32 CET 2021


On 2021-01-17 at 23:43 +0000, Stefan Claas via Gnupg-users wrote:
> I encountered only one MITM attack a couple of years ago so far, from an
> SKS user. He was a retired police officer from Austria, who contacted me.
> But what you say I was thinking about as well. My proposal was to include
> in the policy file fingerprint(s) of key(s) and generate an .ots file, from
> opentimestamps.org, from the policy file and put that .ots file somewhere.
> In the old days it was common, prior starting encrypted comms to compare
> fingerprints over other channels.

If you can safely publish that ots file, you could as well publish your
openpgp key in the same place.

And if you are exchanging fingerprints over a separate, secure channel,
you can use that to directly verify/fetch the key.


(It often makes sense to publish it in many redundant ways, but
strictly it _shouldn't_ be needed)


Best regards




More information about the Gnupg-users mailing list