[Gpg4win-users-en] WKD for OpenPGP certificate "Intevation File Distribution Key <distribution-key at intevation.de>"

Thomas Arendsen Hein thomas at intevation.de
Mon Aug 5 13:32:33 CEST 2019 

Hi!

* Daniel Kahn Gillmor <dkg at fifthhorseman.net> [20190731 07:41]:
> https://www.gpg4win.org/package-integrity.html suggests that there are
> two OpenPGP certificates that might be used to verify the integrity of
> gpg4win releases.
> 
> Fetching those certificates and looking at them, i notice that the
> user ID on both certificates is:
> 
>      Intevation File Distribution Key <distribution-key at intevation.de>
> 
> When i tried to fetch them via WKD, though, only the older certificate
> is returned:
> 
>     0 $ gpg --locate-key distribution-key at intevation.de
>     gpg: key 7CBD620BEC70B1B8: public key "Intevation File Distribution Key <distribution-key at intevation.de>" imported
>     gpg: Total number processed: 1
>     gpg:               imported: 1
>     gpg: no ultimately trusted keys found
>     pub   dsa1024 2010-03-19 [SC] [expires: 2020-03-16]
>           61AC3F5EE4BE593C13D68B1E7CBD620BEC70B1B8
>     uid           [ unknown] Intevation File Distribution Key <distribution-key at intevation.de>
> 
>     0 $
> 
> I think it would make more sense to publish both certificates in WKD,
> rather than just the older one.
> 
> Could you make that change?

The WKD RFC does not allow publishing multiple keys for the same
email address, unless all but one of they keys has been revoked.

But it makes sense to only publish the new key, so I just replaced
it.

Andre, do you think it would be helpful to keep old keys available
via WKD? If yes, either the WKD RFC needs to be adjusted (which
possibly can be helpful for people having multiple keys, too, e.g.
ed25519 and a more compatible fallback rsa3072 key, or during key
rollover when emails are still signed with the old key, but a new
key already is available) or we need to use different email
addresses, e.g. distribution-key+2016 at ... for a key generated in
2016.

Thank you for the notice,

Thomas

-- 
Thomas Arendsen Hein <thomas at intevation.de>
OpenPGP key: https://intevation.de/~thomas/thomas_pgp.asc (0xD45DE28FF3A2250C)
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20190805/4a009ef4/attachment.sig>

More information about the Gpg4win-users-en mailing list