photo-ID omitted when retrieving keys from WKD

Ingo Klöcker kloecker at kde.org
Mon Jan 31 18:53:58 CET 2022


On Montag, 31. Januar 2022 15:58:22 CET Piotr Morgwai Kotarbinski via Gnupg-
users wrote:
> I have a public key with a photo-ID uploaded to WKD at my domain and when I 
download it manually and import to gpg, everything works as expected:
[...]
> However if I try to locate the same key automatically using WKD mechanism, 
then the attached photo-ID is not imported into my keyring:
[...]
> Is this intended or is it a bug?

Yes, this is intended. Keys retrieved via WKD are always imported with the 
equivalent of the import filter {keep-uid=<email address used for WKD 
retrieval>}.

The reasoning is that only user ids matching the email address used to 
retrieve the key via WKD can be somewhat trusted (if you trust the people 
running the WKS). Any other user id including photo ids on the key could be 
fake, i.e. you could easily add the photo of another person as photo id to 
your key.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20220131/4d0db13c/attachment-0001.sig>


More information about the Gnupg-users mailing list