[Gpg4win-users-en] WKD for OpenPGP certificate "Intevation File Distribution Key <distribution-key at intevation.de>"

Thomas Arendsen Hein thomas at intevation.de
Wed Aug 7 15:49:36 CEST 2019


* Bernhard Reiter <bernhard at intevation.de> [20190806 16:58]:
> Am Dienstag 06 August 2019 14:25:07 schrieb Daniel Kahn Gillmor:
> > I don't see any constraint like "MUST NOT return multiple non-revoked
> > keyblocks",
> 
> This could be clarified in the next revision.

> Implicitely from the intentions as written down in section
>   3.  Web Key Directory
> it is understandable to have one public key delivered and that is considered 
> the currently associated pubkey for the email address that should be taken 
> for encryption.

> The idea with the current WKD is to solve the main use case first and
> well. And simple to implement. Other use cases can be considered afterwards.

The main use case of WKD is to provide an OpenPGP key if needed.

OpenPGP keys are needed when you want to encrypt to someone
_or_ when you want to verify a signature made by someone else.

WKD should support these two basic use cases.


To avoid ambiguity when selecting a key for encryption, WKD should
not provide more than one valid key.

For verifying signatures there is no ambiguity, because the signed
file/email is signed by a single key. If the WKD could provide this
key, all would be well here, but as my older mails/files are signed
by my older key and my newer mails/files are signed by by my newer
key, the person/software checking the signature of both mails/files
today should have a verified access to both, the old and the new
key.

A way to allow both use cases would be to allow only one key for
encryption purposes and multiple keys for validating signatures.

* Bernhard Reiter <bernhard at intevation.de> [20190807 09:53]:
> Getting other active pubkeys or old pubkeys can be handled by the public 
> keyserver network.

No, because the old pubkey wouldn't come from a trusted source this
way. WKD allows me to know that this key was at least provided by
the correct organisation, e.g. by Intevation GmbH in Germany for a
key retrieved from intevation.de's WKD, and that the number of
people who can provide a faked key this way is limited, i.e. the
admins of Intevation.

Additionally keyservers might not remove keys that should no longer
be used, because they are not the primary source of that key:
Intevation maintains Intevation's WKD, so they can remove a key.
If other people/organisations run keyservers (this can be more than
one!), Intevation can't (easily) remove such a key, unless a
mechanism will be created to do so. I don't know (yet) how such a
mechanism should work.

Regards,

Thomas

-- 
Thomas Arendsen Hein <thomas at intevation.de>
OpenPGP key: https://intevation.de/~thomas/thomas_pgp.asc (0xD45DE28FF3A2250C)
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20190807/6432348f/attachment.sig>


More information about the Gpg4win-users-en mailing list