Only one pubkey to be delivered by WKD (Re: Update keys.gnupg.net?)
Simon Josefsson
simon at josefsson.org
Wed Jul 28 17:36:54 CEST 2021
Bernhard Reiter <bernhard at intevation.de> writes:
> Am Mittwoch 28 Juli 2021 12:28:08 schrieb Simon Josefsson via Gnupg-devel:
>> It seems like a
>> neat thing to have all my keys in there, in case someone wants to verify
>> old signatures. Is this forbidden? As far as I can tell from wks draft
>> -12 it is permitted: 'Note that the key may be revoked or expired - it
>> is up to the client to handle such conditions.'.
>
> Yes, in my reading it is "forbidden" to have more than one non-revoked pubkey
> in a WKD reponse.
>
> Citing from
> https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/12/
>
> The HTTP GET method MUST return the binary representation of the
> OpenPGP key for the given mail address. The key needs to carry a
> User ID packet ([RFC4880]) with that mail address. Note that the key
> may be revoked or expired - it is up to the client to handle such
> conditions. To ease distribution of revoked keys, a server may
> return revoked keys in addition to a new key. The keys are returned
> by a single request as concatenated key blocks.
>
> It is singular "the key" and "in addition to a new key".
The start of the paragraph talks about 'the key' but the end of the
paragraph talks about 'the keys', in plural. I don't think it is
terribly clear that it MUST NOT be more than one key. What is the
problem with serving more than one key? It seems like a useful thing to
do during key roll-over, or even during extended periods to make it
easier for people to verify older signatures.
/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 255 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20210728/a9448c3a/attachment.sig>
More information about the Gnupg-devel
mailing list