On Tue, 16 Jan 2018 16:46, stefan.cl...@posteo.de said: > This part i do not understand... i send the rev cert or my updated key > again to WKD and then i can search a regular key server for the updated
A revoked key does not make sense in the WKD. Either the key exists and proves that this is the intended key for the mail address or it does not exist. There is no real revocation service. However, I would suggest to also upload the key to the keyservers so that it is easy to get revocation certificates and new subkeys from an independent party - no need to rely for this on the mail provider. We definitely want to refine some things there but that requires a wider deployment. > i have with posteo's WKD implementation is that their policy is pretty > strict, which i personally don't like and i told them so. I would like Posteo does only allows the mail address (addr-spec) and no real name in the key for data protection reasons. Thus a $ wget -O- posteo.de/.well-known/openpgpkey/policy 2>/dev/null # Policy for draft-koch-openpgp-webkey-service-04 mailbox-only auth-submit shows this policy flag. If you upload your key using a tool employing gpg-wks-client (e.g. Kmail or Enigmail) this policy will be detected and if a plain addr-spec only user0id does not exists a new user-id will be created and sent to posteo. The real problem with Posteo is that they use invalid certificates for all but the posteo.de domain. Thus my posteo.net account does not work because they redirect to posteo.de but do not include posteo.net in the certificate for the initial access to posteo.net. Bummer. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
pgp0sJ2J_4b_k.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users