photo-ID omitted when retrieving keys from WKD
Ingo Klöcker
kloecker at kde.org
Mon Jan 31 18:53:58 CET 2022
On Montag, 31. Januar 2022 15:58:22 CET Piotr Morgwai Kotarbinski via Gnupg-
users wrote:
> I have a public key with a photo-ID uploaded to WKD at my domain and when I
download it manually and import to gpg, everything works as expected:
[...]
> However if I try to locate the same key automatically using WKD mechanism,
then the attached photo-ID is not imported into my keyring:
[...]
> Is this intended or is it a bug?
Yes, this is intended. Keys retrieved via WKD are always imported with the
equivalent of the import filter {keep-uid=<email address used for WKD
retrieval>}.
The reasoning is that only user ids matching the email address used to
retrieve the key via WKD can be somewhat trusted (if you trust the people
running the WKS). Any other user id including photo ids on the key could be
fake, i.e. you could easily add the photo of another person as photo id to
your key.
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20220131/4d0db13c/attachment-0001.sig>
More information about the Gnupg-users
mailing list