WKD draft: suggestions

Bernhard Reiter bernhard at intevation.de
Fri Dec 9 09:39:30 CET 2022


Hi Werner,

a)
https://www.ietf.org/archive/id/draft-koch-openpgp-webkey-service-15.html#name-policy-flags
has
     o  "submission-address": An alternative way to specify the submission
      address.  The value is the addr-spec part of the address to send
      requests to this server.  If this keyword is used in addition to
      the "submission-address" file, both MUST have the same value. 

and in 4.1.  The Submission Address

   The file consists of exactly one line [..]
   with the full mail address

As  addr-spec part != full mail address,
both do not "have the same value". Maybe you can phrase it like

   both MUST indicate the same mail address.

b)
You write `PGP/MIME` in a couple of places referring to RFC3156.
But RFC3156 does not use that abbreviation, `OpenPGP/MIME` seems 
a better fterm (and is used already once in rfc2440 and 4880).

c) 
It is implicitely clear, but implementors may benefit from writing it 
explicitely that
   only _one_ public key, which is ready for use, MUST be returned,

so that a client can use this public for encryption right away
(after checking that the mail address in the user id matches
the one it wants to encrypt to).

d)
Additional revoked pubkeys are allowed to be returned (which are not ready for 
usage), but this maybe suboptimal, becase if they are revoked I'd expect an 
implementation to not use them for calculating trust anymore.

It would be more interesting to allow expired public keys (which are also not 
ready for use), as they could be used to establish more trust,
if there is a signature by them on the current active pubkey.
But for a good rollover process, overlaping pubkeys seems nice, but this would
go against the simplicity of having only one pubkey ready for usage returned.
So I am not sure about this one.

Best Regards
Bernhard

-- 
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20221209/5f0b4be3/attachment.sig>


More information about the Gnupg-devel mailing list