Support WKD (and WKS) for @debian.org email addresses?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Support WKD (and WKS) for @debian.org email addresses?

W. Martin Borgert
Hi,

just testing the waters, whether this is something people like or not:

As we all know, false PGP keys can easily be forged for any given
email address and uploaded to key servers. We've been there, even with
the correct short key ids and equally faked signatures!

One way to help senders getting the real receivers key is WKD (web key
directory). That is one HTTPS URL per email address, e.g. a static
directory with PGP key files. (See https://wiki.gnupg.org/WKD)

Example: To get the public key of Linus Torvalds, you type

$ gpg --auto-key-locate wkd --locate-keys [hidden email]

which fetches the public key from this URL:

https://kernel.org/.well-known/openpgpkey/hu/pf113mfnx1f3eb1yiwhsipa91xfc7o4x

Of course, WKD is only about fetching the key. The actual decision to
trust or not a key, let alone sign it, does not change by use of WKD.

The second thing is WKS (web key service): This is a protocol/tool to
publish, update or de-puplish keys via WKD in a standardized form.
(See https://wiki.gnupg.org/WKS)

Do we want WKD for debian.org, like gentoo.org and kernel.org?

TIA for your opinions & Cheers

Reply | Threaded
Open this post in threaded view
|

Re: Support WKD (and WKS) for @debian.org email addresses?

Ian Jackson-2
W. Martin Borgert writes ("Support WKD (and WKS) for @debian.org email addresses?"):
> One way to help senders getting the real receivers key is WKD (web key
> directory). That is one HTTPS URL per email address, e.g. a static
> directory with PGP key files. (See https://wiki.gnupg.org/WKD)

This is still an unapproved Internet Draft.  So the protocol may yet
change.

Personally I think the hash is bizarre.  Why make this protocol depend
on an obsolete hash function ?  One could just url-encode the email
address.  The server could deal with case-folding etc.

Ian.

Reply | Threaded
Open this post in threaded view
|

Re: Support WKD (and WKS) for @debian.org email addresses?

Guilhem Moulin-2
Hi,

On Wed, 07 Nov 2018 at 18:20:16 +0000, Ian Jackson wrote:
> Personally I think the hash is bizarre.  Why make this protocol depend
> on an obsolete hash function ?  One could just url-encode the email
> address.  The server could deal with case-folding etc.

Dunno if you'll find the arguments convincing, but FWIW this was brought up to
gnupg-devel in May 2016: see https://lists.gnupg.org/pipermail/gnupg-devel/2016-May/031068.html
and follow-ups in that thread.

Cheers,
--
Guilhem.

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Support WKD (and WKS) for @debian.org email addresses?

Ian Jackson-2
Guilhem Moulin writes ("Re: Support WKD (and WKS) for @debian.org email addresses?"):
> On Wed, 07 Nov 2018 at 18:20:16 +0000, Ian Jackson wrote:
> > Personally I think the hash is bizarre.  Why make this protocol depend
> > on an obsolete hash function ?  One could just url-encode the email
> > address.  The server could deal with case-folding etc.
>
> Dunno if you'll find the arguments convincing, but FWIW this was brought up to
> gnupg-devel in May 2016: see https://lists.gnupg.org/pipermail/gnupg-devel/2016-May/031068.html
> and follow-ups in that thread.

Huh.

Well, I followed the breadcrumbs to the spec and found an Internet
Draft.  So I decided that the IETF's openpgp list was the right place
to make my comments.

https://www.ietf.org/mail-archive/web/openpgp/current/msg09100.html

Ian.

--
Ian Jackson <[hidden email]>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Reply | Threaded
Open this post in threaded view
|

Re: Support WKD (and WKS) for @debian.org email addresses?

Peter Palfrader
In reply to this post by W. Martin Borgert
On Wed, 07 Nov 2018, W. Martin Borgert wrote:

> Do we want WKD for debian.org, like gentoo.org and kernel.org?
>
> TIA for your opinions & Cheers

I'd look at code that generates WKD and dane information for users that
enable it in ldap.

--
                            |  .''`.       ** Debian **
      Peter Palfrader       | : :' :      The  universal
 https://www.palfrader.org/ | `. `'      Operating System
                            |   `-    https://www.debian.org/