WKD for GitHub pages

Stefan Claas spam.trap.mailing.lists at gmail.com
Tue Jan 12 23:30:17 CET 2021


On Tue, Jan 12, 2021 at 11:02 PM Daniele Nicolodi <daniele at grinta.net> wrote:

> The point of WKD is using the trust of the CA machinery (and the
> assumption that the email infrastructure and web servers serving a
> specific domain are run by the same organization) to securely retrieve
> OpenPGP keys associated to an email address. There keys can then be used
> to communicate with the older of the email address.
>
> The party in the communication are identified by email addresses.
>
> In your scheme there are no email addresses. How is retrieving an
> OpenPGP key from a random .github.io subdomain from obtaining it in any
> other untrusted way? What is the line of trust in the scheme you are
> proposing?

Please let me clarify one thing (and I do not want to play or act like
a teacher, uknown to you or others)

Before PGP was invented by Mr. Zimmermann, public key cryptography
does not needed a Web of Trust, nor a public key which has to bear a
name or an email address! I for example use besides OpenPGP software
also public key crypto software based on Professor Bernstein's NaCl
library, with friends in the United States, Canada and Germany. This
public key is a 256bit key with not a single content of MetaData and
communicating with my friends is authenticated.

Public Key Cryptography does not mean, even If I place my publicty
available key on a site, that the whole world needs to know with whom
I communicate and from which channels. It is IMHO a misunderstanding
people make, new to public key cryptography, while only knowing popular
OpenPGP software. sequoia-pgp, in that respect, honors this old principle
and allows for exampla also users to create a key pair which does not
need a UID ant therefore can act, same as NaClbox the classic way of
public key cryptography.

The reason why I like also the option for, let's say github.io pages
is that, like I have shown in the whole thread that a very well known
site like GitHub, with it's millions of software developes allows one
to host, via WKD, a mutli-purpose usage public-key without revealing
to much details.

Regards
Stefan



More information about the Gnupg-users mailing list