photo-ID omitted when retrieving keys from WKD

Tue Feb 1 20:03:38 CET 2022

On Dienstag, 1. Februar 2022 18:22:00 CET Piotr Morgwai Kotarbinski via Gnupg-
users wrote:
> hmm: I don't seem to follow:
> if a user decided to trust (to certain extent) some domain's WKS admins
> regarding key fingerprints

That's not what I meant by "trust the WKS admins". What I meant is whether you 
trust the WKS admins to make sure that only those people who control a certain 
email address can upload an OpenPGP key for this email address to the WKS.

> (for example the user trusts that the WKS admins
> verify key fingerprints with members of their organization by some means of
> their internal procedures), it seems quite arbitrary to assume that the
> user should definitely NOT trust the same admins regarding photo-IDs
> verification (for example the admins may be comparing photo-IDs with photos
> from their HR DB before publishing to the WKD).

Verification of user ids and photo-IDs should be documented by signing those 
entities. If you trust the WKS admins (or some other entity), that they 
properly verify user ids and photo-IDs then you sign their key (probably with 
a non-exportable signature) and set the owner trust of their key. This has 
nothing to do with WKS and that's not the problem that WKS is trying to solve. 
It's plain old web-of-trust.

> Furthermore, it may happen that some photo-ID stored in a WKD is signed by a
> 3rd party that is already trusted by the user. Stripping such photo-ID may
> unnecessarily conceal information that may be useful/important to the user.
> 
> Am I missing maybe some part of the story that invalidates my reasoning?

Distribution of OpenPGP keys with loads of user ids including photo-IDs is not 
what WKD is about. It's about providing a well defined location for looking 
for the OpenPGP key for a single email address. GnuPG decided that it strips 
any user ids not matching the email address from the downloaded key during the 
import. Note that GnuPG internally marks keys/user ids downloaded via WKD as 
such. In the future this may allow users of GnuPG to tell gpg that it should 
automatically treat keys retrieved via WKD (probably for certain domains) as 
partially or fully valid.

If you want to get everything someone uploaded to some WKS, then simply 
download the public key block from the well defined URL and then import it 
with gpg. Using the --key-origin option you can even tell gpg, that it should 
treat this public key block as if it was downloaded via WKD. (I have not 
really verified whether gpg really treats such an import identical to a WKD 
retrieval.)

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20220201/2b1e0055/attachment.sig>