- User Since
- Nov 7 2017, 3:40 PM (328 w, 1 d)
Mar 31 2022
I still think that redirecting to another catch-all domain is contrary to the original goal and weakens the security model. We need to see what we can do about this.
Jun 25 2021
Jan 5 2021
For the context of all subscribed parties I think Werner refers to what Hockeypuck is doing: https://lists.gnupg.org/pipermail/gnupg-users/2020-December/064441.html
Mar 10 2020
This is a nice idea and although it overlaps with Autocrypt it has other uses too: for example verification of signed files that can be vastly simplified (just get the file and the signature, no key fetching needed, downside: the key attached to the signature could be stale).
Aug 12 2019
Sounds interesting @stm! Are there technical documents or specifications I could read to dig into details?
Aug 6 2019
DNSSEC is a centralized CA system. Just different than the TLS one. Given that Certificate Transparency exists I'd say DNSSEC is less transparent than TLS. For example if you happen to have a .ly domain then the Libyan can silently control your signed zone. Given that there is no CT for DNSSEC they can do so selectively, for any connection they want. It wouldn't be the first problem with them.
Jul 11 2019
Is this really necessary to duplicate functionality that already is provided by Web Key Directory?
Jul 3 2019
I'm also interested in fine details especially w.r.t. interfacing with GnuPG. I've seen multiple timestamping standards starting from RFC3161, to blockchains or secure time protocols even (ab)using Certificate Transparency logs and ideas on how to append the signature (timestamp flag vs unhashed notations) so I'll be eager to hear the details on the ML @stm!
@dkg I believe @aheinecke gave the GpgOL description just as an example of why WKD-first retrieval would be beneficial (for details of that see https://wiki.gnupg.org/AutomatedEncryption#Trust_Levels) and I believe this ticket is a follow-up to my question on gnupg-devel ML: https://lists.gnupg.org/pipermail/gnupg-devel/2019-June/034372.html
Jun 26 2019
For the record in my original message I asked about adding self-signatures.
Nov 14 2018
"Miranda ICQ [Unix] CHAT" also doesn't work. Maybe it would be a good idea to check all of them via script or something like that...
Aug 29 2018
Jul 8 2018
Agreed, after the verification succeeds the caller can (and probably will) check the signature notations.
Jul 7 2018
Jul 2 2018
Ha, I wish e-mail-like searches would be done using only WKD with no fallbacks to keyservers... that way keys would be "more verified"... but I understand it may be not practical :)
Nov 8 2017
For what is worth I think sanitize_regexp was programmed while reading 4880 because the RFC allows backslash + any character (section 8: Regular Expressions):