On Fri, Jan 15, 2021 at 2:04 AM raf via Gnupg-users <gnupg-users@gnupg.org> wrote:
[...] > I'm really not an expert, and the above might not make > any sense. I'm just thinking aloud. Me neither ... :-) For me, the questions I had is still unresolved when it comes to properly explaing what security implication it gives, when for example sequoia-pgp can handle this and why the draft explicity says it MUST use the advanced-method first. Don't you think when GitHub, a major player, would have an invalid SSL cert, that maybe one of the millions programmers there would not have contacted GitHub, like I did, and say hey GithHub you serve the global community and visitors an invalid SSL certificate? I must admit that I also do not understand what you mean with sus-sub domains. My GitHub page is sac001.github.io and not foo.bar.github.io or whatever. If Werner had told me/us, hey look, according to my draft the advanced method MUST been used because of this and that security implication and it is not allowed in this case to fall back if an (for WKD) invalid cert is present, because of this/that security issue, I guess then I had a better understanding and then I guess also the sequoia team would never had done it so that it works with sequoia-pgp. Regards Stefan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users