On Tue, Jan 12, 2021 at 8:17 PM André Colomb <an...@colomb.de> wrote: > > Hi Stefan,
> So there are two "bugs" involved here. 1. GitHub presenting an invalid > certificate for the sub-subdomain and 2. Sequoia not noticing that. > Neither of these are bugs in GnuPG. If you can accept these facts, then > it makes sense to further discuss what could be changed where to make > your desired setup work. Maybe that discussion will lead to a concise > change proposal. Hi Andre, currently I can only accept the fact that these two "bugs" are currently not resolved in GnuPG and gpg4win, if you allow me to formulate it this way. I desperately hope that this thread will lead to a fruitful outcome, for GnuPG and gpg4win users, while I personally could care less, because I just checked yesterday the latest sq version and I am happy that it works. > One more question: You're talking about OpenPGP key discovery setups for > families and small groups, IIUC. And that should involve WKD and > GitHub. But how should these people actually get working e-mail > addresses @example.github.io? WKD very specifically ties the key > discovery to the control over the involved domain. It moves part of the > trust relationship to the domain administrator. So who is actually in > control over those e-mail addresses? Good question Andre! In case of github.io there is apprently no email address, which is IMHO a good thing if people like to set-up a github.io page and do not want to reveal their real email address, to third parties, which is IMHO their good right, in case they like to use this github.io pub key as multi-purpose key, let's say for multiple email accounts, from other services, file transfer, NFC postcards, you name it. Let's say as an example for gnupg.org. If am not mistaken dev.gnupg.org has a different cert as gnupg.org. Let's assume also that gnupg.org would come up with the idea of running keys.gnupg.org. I strongly believe that a (purchased) SSL cert for gnupg.org, covering wildcard subdomains, like GitHub's cert is neither wrong nor does it cause any security implications, when the direct method is used. Speaking of overhead, I must admit (again) I do not understand what this is or what this can cause for a server maintainer or a GnuPG or gpg4win user, when I for example can fetch my pub key with sequoia real quick, because in binary form these are only a couple of bytes and I strongly believe that a simple directory structure, holding some files, on a web server has no issues either. > I hope this mail will not upset you. Just trying to clarify what you > might have misunderstood that leads to people not understanding or > agreeing with your proposal. I don't mind to be proven wrong if it was > in fact my misunderstanding. Of course not and I appreciate if this issue can be discussed further! Best regards Stefan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users