WKD: returns only one pubkey (and why)
Bernhard Reiter
bernhard at intevation.de
Thu Jan 26 11:04:32 CET 2023
Hi Werner,
Am Donnerstag 26 Januar 2023 09:42:24 schrieb Werner Koch via Gnupg-devel:
> > I just want to self-publish all trusted keys
> > for my email address and have a protocol to specify that people should
>
> Actually you can do this, but we don't have the tooling to upload such a
> ket without manual intervention. Here is a test case:
> Then on the client you can test this:
> Both keys have been retrieved
for my understanding, this technical test case
tests something that is outside the specification of
https://datatracker.ietf.org/doc/html/draft-koch-openpgp-webkey-service-15#name-key-discovery
?
(the current specification, as cited in the start of the discussion)
> (filtered to have only the requested user
> id) and the best matching key has been listed. With an implementation
> w/o support for ed25519 the RSA key would have been listed.
>
> So far with the theory and here comes the bug: There is no valid
> encryption subkey and thus --locate-external-key should indeed list the rsa
> key. See https://dev.gnupg.org/T6358 .
Looks like an example how distributing two active keys via WKD
make it more complicated to implement use case 1).
And a for a rollover, just the new public key could be distributed,
so I'd say multiple pubkeys are not necessary for the rollover.
Regards
Bernhard
--
https://intevation.de/~bernhard +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20230126/5624f625/attachment.sig>
More information about the Gnupg-devel
mailing list