[prev in list] [next in list] [prev in thread] [next in thread]
List: gnupg-devel
Subject: Re: WKD: returns only one pubkey (and why)
From: "Neal H. Walfield" <neal () walfield ! org>
Date: 2022-12-09 19:29:14
Message-ID: 87o7scwf3p.wl-neal () walfield ! org
[Download RAW message or body]
On Fri, 09 Dec 2022 17:39:24 +0100,
Andrew Gallagher via Gnupg-devel wrote:
> WKD is not useful for verifying signatures, as it does not support key discovery by \
> fingerprint, only by email. In order to verify an arbitrary signature you must \
> either look up the key by fingerprint on a keyserver that supports it, or \
> distribute a trusted-signers keyring in advance, e.g. by installing a keyring \
> package.
A signature can include the 'Signer's User ID' subpacket. If that is
included in the signature, then it is possible to use WKD to lookup
the certificate.
https://www.rfc-editor.org/rfc/rfc4880#section-5.2.3.22
Further, it makes sense to follow up a key server lookup with other
lookups like WKD to make it harder for an attacker to withhold some of
the certificate (e.g., a revocation).
Neal
_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic