On Tue, Jun 14, 2022 at 12:28 AM Gunnar Wolf <gw...@debian.org> wrote:
> > Most of you are aware that the keyserver network is currently in a > quite weak status; please ensure we can find your updated keys at > several different keyservers (at least, by uploading them); I suggest > you try something like the following: > > $ export MY_KEY=0x2404C9546E145360 # Naturally, your key goes here > $ for i in pgpkeys.eu pgp.surf.nl pgp.pm keyserver.ubuntu.com > the.earth.li > > do > > gpg --keyserver $i --send-key $MY_KEY > > done > Here are my public keys: https://cloud.fs.al/s/wrer7jXfF4EtZot/download/9EAA95B4E9731B6B757ACD629229692B9A5D205A.pubkey https://cloud.fs.al/s/m4GSibeESJA3enk/download/18931AB4720C1EA3C28B95B3775FB44C0C6AD08D.pubkey I'd suggest that we try a keysigning party without keyservers this time. It should not be very difficult. The issue is not whether the keyservers will be up during the conference or not, rather it is that the keyserver model seems to be broken and should be avoided/abandoned. About the WKD, if it does not support well keysigning and WoT, maybe it should be improved to support them. The ideal solution, in my opinion, would be to start using self-sovereign identity, but we are not there yet. To sign public keys without keyservers, as far as I can understand, the steps would be like these: 1. The coordinator collects all the public keys of the participant in a keyring and shares this keyring with all the participants (Gunnar has already mentioned that he is going to do this). 2. Each participant verifies physically some other participants and marks their fingerprints on the list, in order to sign them later. 3. Using the shared keyring and his private key, he signs each verified key, exports the key, encrypts it with the signed public key, and sends it by attachment to the corresponding owner. 4. The owner of the signed key decrypts it (which also verifies that he owns this key), and imports the signature on his key. 5. The owner of the key may publish the updated key, which includes the new signatures. Re-publishing can be done by WKD, by uploading it somewhere, sending it by attachment, etc. Maybe there are some issues with this process, I am not 100% sure that it works correctly. Regards, Dashamir
