Hi, Just wondering, I've got "auto-key-retrieve" set in my gpg.conf. I'm using gpgme, and as far as I'm aware it fetches keys it doesn't know upon reading the message (gives a little delay) to verify the signature is OK.
Is this a different thing somehow? Thanks, Fabian On 04-07-2018 23:27:23 +0200, Wiktor Kwapisiewicz wrote: > Hello mutt-dev, > > I would like to extend mutt to add fetching GPG keys over Web Key > Directory protocol. > > (I've previously created an issue on gitlab [0] but I'll summarize the > thing here for the broader audience). > > Web Key Directory is a new scheme for GPG key discovery. It converts the > e-mail address to HTTPS URL and fetches the key from there. It is > already supported by some e-mail clients (EnigMail, GpgOL). > > For example kernel.org has it enabled and Linus' key is at: > https://kernel.org/.well-known/openpgpkey/hu/pf113mfnx1f3eb1yiwhsipa91xfc7o4x > > As GnuPG 2 has it enabled by default "gpg --locate-key > torva...@kernel.org" will fetch that key. > > I've been exploring mutt's source code and the change would mostly be > enabling external lookup for keys that are not locally present [1] when > encryption is explicitly turned on (gpgme backend). > > That raises some privacy issues, the same was discussed on gnupg-devel > ML [2] (gpg by default will fetch the key via WKD when encrypting to a > recipient but will *not* fetch the key when verifying signatures). > > The question is how to do it well. Maybe ask the user if they want to > search for the key using WKD if it's not locally present? > > An option would be the first choice but I worry about it not being used > at all (as people rarely enable non-standard features [3]). > > Thank you for your consideration! > > Kind regards, > Wiktor > > [0]: https://gitlab.com/muttmua/mutt/issues/55 > > [1]: gpgme_set_keylist_mode(ctx, > GPGME_KEYLIST_MODE_LOCAL|GPGME_KEYLIST_MODE_EXTERN); in > crypto-gpgme.c#get_candidates. > > [2]: https://lists.gnupg.org/pipermail/gnupg-devel/2017-August/033021.html > > [3]: https://gitlab.com/muttmua/mutt/issues/3 > > -- > https://metacode.biz/@wiktor -- Fabian Groffen Gentoo on a different level
signature.asc
Description: PGP signature
