Hi Christopher, Christopher Beck: > Hi, > > just a (maybe) stupid question: the matching key to my recipient can be > fetched by keyservers and i determine the korrect key of all of the > (sometimes > "wrong" keys") by vaidating the signatures according to the WoT.
So, what's > the benefit of this new key service? It sounds much more complicated (and un- > trusworthy) than just using the WoT. Within the WoT the certificate chain relies on the ultimate fact that you have physically met at least one WoT member in persona, and that each of you has checked that the other's ID document is valid and that the photo corresponds to him/her, and exchanged and verified the fingerprints of your pubkeys (off-line key verification). Then you send the signed key to the other person. As your pubkey is now signed by a person of the WoT and his key signed by you (and you updated your keys with the new signature(s) on a keyserver), you are also "associated" with other members of the WoT that the WoT member is directly associated with. With the WKS [1] it is not necessary to (physically) have met a person beforehand. The server (of the mail provider) checks that a key sent with/from the generated submission address has a user ID that really corresponds to a legitimate mail address (account) of the user on that server of the provider by sending a message containing a nonce and the fingerprint. After a successful verification the key is published. There is no offline key exchange/verification, although you might think of "WKS users" that then meet in person and, additionally, do that. What you mean with "untrustworthy" is (1) that you have to trust the mail provider setting up the wks service and (2) that there is no initial step of offline key exchange/verification, don't you? I think it's to push the mass usage of OpenPGP keys (given the fact that the WoT grows at a speed that is too low) but you surely have to rely on the mail provider's trustworthiness. But there is no obstacle for doing an off-line verification afterwards. But I'd also like to know more about possible weak points related to the usage of WKS. Stebe [1]https://tools.ietf.org/id/draft-koch-openpgp-webkey-service-01.html Christopher Beck: > Hi, > > just a (maybe) stupid question: the matching key to my recipient can be > fetched by keyservers and i determine the korrect key of all of the > (sometimes > "wrong" keys") by vaidating the signatures according to the WoT. So, what's > the benefit of this new key service? It sounds much more complicated (and un- > trusworthy) than just using the WoT. > > Confused Greetings > > Beckus > > On Tuesday, 30 August 2016 16:39:15 CEST Werner Koch wrote: >> Hi, >> >> I just published a writeup on how to setup the Web Key Service at >> https://gnupg.org/blog/20160830-web-key-service.html >>
0x4218732B.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
