WKD: conveying intent of encrypt-by-default?

Jacob Bachmeyer jcb62281 at gmail.com
Tue Oct 4 06:39:04 CEST 2022

Phil Pennock via Gnupg-users wrote:
> [...]
> Problem: we use PGP for signing and for certain transactions which need
> high confidentiality, but for the most part, for most of our staff,
> setting up a PGP-capable mail client with our mail-provider is a pain
> and we're not interested.  We want the PGP keys _available_ for people
> to have a trusted path to the key, but that does _not_ mean that we want
> people to default to using PGP for all communications with us.

Simple option if most users at your site will be generating PGP 
signatures but not running PGP-capable MUAs:  generate sign-only keys 
and put those in WKD.  You would need a second mechanism for 
distributing the encryption-permitted keys for those users who need 
them, but the encryption keys could in turn be signed with the WKD 
sign-only keys to prevent a man-in-the-middle attack.

-- Jacob

More information about the Gnupg-users mailing list