On Dienstag, 1. Februar 2022 18:22:00 CET Piotr Morgwai Kotarbinski via Gnupg- users wrote: > hmm: I don't seem to follow: > if a user decided to trust (to certain extent) some domain's WKS admins > regarding key fingerprints
That's not what I meant by "trust the WKS admins". What I meant is whether you trust the WKS admins to make sure that only those people who control a certain email address can upload an OpenPGP key for this email address to the WKS. > (for example the user trusts that the WKS admins > verify key fingerprints with members of their organization by some means of > their internal procedures), it seems quite arbitrary to assume that the > user should definitely NOT trust the same admins regarding photo-IDs > verification (for example the admins may be comparing photo-IDs with photos > from their HR DB before publishing to the WKD). Verification of user ids and photo-IDs should be documented by signing those entities. If you trust the WKS admins (or some other entity), that they properly verify user ids and photo-IDs then you sign their key (probably with a non-exportable signature) and set the owner trust of their key. This has nothing to do with WKS and that's not the problem that WKS is trying to solve. It's plain old web-of-trust. > Furthermore, it may happen that some photo-ID stored in a WKD is signed by a > 3rd party that is already trusted by the user. Stripping such photo-ID may > unnecessarily conceal information that may be useful/important to the user. > > Am I missing maybe some part of the story that invalidates my reasoning? Distribution of OpenPGP keys with loads of user ids including photo-IDs is not what WKD is about. It's about providing a well defined location for looking for the OpenPGP key for a single email address. GnuPG decided that it strips any user ids not matching the email address from the downloaded key during the import. Note that GnuPG internally marks keys/user ids downloaded via WKD as such. In the future this may allow users of GnuPG to tell gpg that it should automatically treat keys retrieved via WKD (probably for certain domains) as partially or fully valid. If you want to get everything someone uploaded to some WKS, then simply download the public key block from the well defined URL and then import it with gpg. Using the --key-origin option you can even tell gpg, that it should treat this public key block as if it was downloaded via WKD. (I have not really verified whether gpg really treats such an import identical to a WKD retrieval.) Regards, Ingo
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users