On Wed 2019-08-07 15:49:36 +0200, Thomas Arendsen Hein wrote:
OpenPGP keys are needed when you want to encrypt to someone
_or_ when you want to verify a signature made by someone else.
WKD should support these two basic use cases.
To avoid ambiguity when selecting a key for encryption, WKD should
not provide more than one valid key.
For verifying signatures there is no ambiguity, because the signed
file/email is signed by a single key. If the WKD could provide this
key, all would be well here, but as my older mails/files are signed
by my older key and my newer mails/files are signed by by my newer
key, the person/software checking the signature of both mails/files
today should have a verified access to both, the old and the new
key.
A way to allow both use cases would be to allow only one key for
encryption purposes and multiple keys for validating signatures.
I think this is sound reasoning, and a great solution to the problem.
Thanks, Thomas!
It's good to have identified the underlying rationale for the two
different use cases, as well as a solution that appears to meet them
both.
The one outstanding use case that isn't handled by this solution is two
certificates which differ by public key algorithm and are both
encryption-capable. I can imagine some even more subtle gradations of
WKD requirements that would satisfy that use case as well, but perhaps
they're too subtle to be worth specifying. If that final use case gets
left unsolved, we're still in much better shape than the status quo.
Perhaps you could propose some text to modify the WKD draft?
If you want to propose an easily-applicable diff, the source is in this
git repository:
https://dev.gnupg.org/source/gnupg-doc.git
in the file misc/id/openpgp-webkey-service/draft.org
Perhaps Werner can weigh in on where he would like diffs to be sent so
that he can most easily track them for inclusion. As someone working
with different OpenPGP implementations that themselves do some variant
of WKD lookup at least, i think it would be great to post a proposed
diff here to the openpgp(_at_)ietf(_dot_)org mailing list as well, so that other
implementers can consider it and weigh in about what makes sense for
them.
* Bernhard Reiter <bernhard(_at_)intevation(_dot_)de> [20190807 09:53]:
Getting other active pubkeys or old pubkeys can be handled by the public
keyserver network.
No, because the old pubkey wouldn't come from a trusted source this
way.
I agree that WKD provides some additional benefit of authenticity here.
Without that, the signer might as well just ship the certificate with
the signature, and let the end user verify it that way.
i don't think it's bad to ship the certificate with the signature, fwiw.
That approach has very nice properties from the perspective of metadata
leakage -- no leakage at all, and also no dependencies on internet
connectivity or third-party services which might have outages.
--dkg
signature.asc
Description: PGP signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp