WKD: returns only one pubkey (and why)

Andrew Gallagher andrewg at andrewg.com
Wed Dec 14 11:31:40 CET 2022


On 13 Dec 2022, at 21:32, Dashamir Hoxha via Gnupg-devel <gnupg-devel at gnupg.org> wrote:
> 
> However I am not sure, can we find out the userids of the key that is used to sign? If not, then we cannot infer the domain of the well-known url.

See Neal’s earlier comment. We can in principle, but only if the signer has added that subpacket to their signature, which cannot be relied upon.

> In this case we might need a directory service to lookup the userid(s) that are associated with a certain key id (think of it like a phone book -- you know the phone number and you can find the name of its owner). This directory service might be based on blockchains, or it might be a modified (simplified?) version of the current keyservers.

If you think keyservers are prone to abuse and spam, you *do not* want a blockchain.

> However, if we have such a directory service, then we can just list the url where the public key is located, so maybe we don't need a "well-known url" format.


Or we could just serve the key directly from the directory… ;-)

A

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20221214/a5bdcd0b/attachment-0001.html>


More information about the Gnupg-devel mailing list