Infrastructure support for GnuPG post-quantum keys
Frank Guthausen
fg.gnupg at shimps.de
Tue Jan 7 15:40:12 CET 2025
On Tue, 7 Jan 2025 04:09:52 +0000
have--- via Gnupg-users <gnupg-users at gnupg.org> wrote:
>
> A question of netiquette: Is it acceptable to do this on a first
> post to a public list?
Without having a final answer, some thoughts:
1.
Signed emails which are sent to a list can be verified only with the
public key. Thus the other list members should have a chance to get
this key.
2.
Sending the key once will exclude those
people / list members who join afterwards.
3.
Sending the key always will increase traffic and amount
of used storage space. Maybe this isn't any kind of real
issue nowadays.
4.
Given a public mailing list archive, can the key be extracted from
there in the far future? Which format would be suitable for this?
Are the headers archived completely?
5.
The WKD web key directory looks like a suitable workflow to distribute
public keys without repeated overhead inside the emails itselves. Just
as a proof of concept for myself, I tried it several months ago. It's
easy to setup in conjunction with some webspace. Actually this is only
a "works for me" solution, YMMV. I do not claim it to be _the_ single
and universal solution.
6.
Maybe the final answer is not agreeing on a single distribution
workflow but having different options live and in the wild. This
could protect against suprising disruption attacks against the
ecosystem as it happended with keyservers in the past.
--
kind regards
Frank
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250107/95044e37/attachment.sig>
More information about the Gnupg-users
mailing list