PKA support

[Werner Koch]

Hi!

> I just realized, as I was searching for Werner's current key, that PKA
> was removed from GnuPG in 2021.

Right.  The practial problem with PKA is that the majority of mail users
have no way to easily add records to their zone.  With WKD you only need
a web server and a way to upload things.

Except for the huge mail providers it is easy to setup a way to install
keys on the webserver.  mailbox.org, posteo, kernel.org, protonmail and
more allow this and that covers a lot of mail addresses.

Google and Microsoft have no interest in helping here because it might
damage their business model.  The German Telekom (t-online) could do
this and I even had meetings with them and adjusted the protocol for
their requirements.  But it seems they don't care about security and
prefer to direct their customes to their ads ridden portal.

Bit we want to decentralize mail again, don't we?

> The problem with WKD is that it relies on https and I refuse to use that
> broken CA based system that forces me to renew my certs every month or

The security of TLS is not as good as it could be but at least it is
good enough to do all the commerce.  Thus it is better than nothing.
And: DNS is not more secure given all the problems and the move from DNS
to HTTPS based DNS lookup in the browsers.

In any case the idea of WKD is an easy way to retrieve keys; whether you
put some intial trust into it (Kleopatra and GpgOL do that) is up to
you.  It is not intended to replace classic PGP key validation.


Shalom-Salam,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 284 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20260410/bf27bf42/attachment.sig>