The current WKD/WKS draft offers no direct guidance to WKD clients about the type of filtering they should do.
It would be great to have a "WKD client imlementation guidance" section that describes the type of filtering that a responsible client would do, similar to our discussion over in T4607.
The current WKD/WKS draft offers no direct guidance to WKD clients about the type of filtering they should do.
https://datatracker.ietf.org/doc/html/draft-koch-openpgp-webkey-service-15#name-security-considerations-2
at least has
It is further recommended that a client filters a received key or a key send for a publication requests so that only the specific User ID with the mail address of the provider is imported or send. A client MUST NOT accept a HTTP authentication challenge (HTTP code 401) because the information in the Web Key Directory is public and needs no authentication. Allowing an authentication challenge has the problem to easily confuse a user with a password prompt and tricking him into falsely entering the passphrase used to protect his private key or to login to his mail provider.
It specifies some filtering. Is this good enough for the first part of this issue?
Otherwise: What would be missing?
Can the second part be splitted out?