On Mon 2019-07-29 23:24:38 +0200, Martin wrote:
> On 2019-07-29 16:57, Daniel Kahn Gillmor wrote:
>> If you're just talking about getting the people you communicate with via
>> e-mail to have a copy of your own OpenPGP certificate, i recommend using
>> an Autocrypt-capable e-mail program, and enabling Autocrypt.
>
> Pros/cons versus WKD (web key directory)?
> Other than "not available with my provider", of course.
WKD and Autocrypt are not in conflict at all -- so there is no "pro/con"
in the sense of "which should i choose?" Rather, they work in different
use cases, and if you're really intent on making your OpenPGP
certificates widely available so that people can send you encrypted
mail, you probably want to do both if you can.
WKD is good for first-contact -- if you want someone to be able to send
you mail with you never having contacted them before, they can look up
your OpenPGP certificate via WKD without ever having heard from you.
Autocrypt can't do that because the wire-format parts of Autocrypt rely
on in-band certificate transmission (so that Autocrypt-capable clients
can avoid the "not available with my provider" problem).
WKD is also good for providing third-party certifications on your
OpenPGP certificate, if you want to do that. Autocrypt delivers a
deliberately minimized OpenPGP certificate, typically with all
third-party certifications stripped. See
https://autocrypt.org/level1.html#openpgp-based-key-data for more
details.
keys.openpgp.org will *not* share third-party certifications either,
because that is a trivial certificate flooding vector, as we've seen
with SKS. I'm looking at ways to facilitate abuse-resistant keystores
to distribute third-party certifications, such as:
https://tools.ietf.org/html/draft-dkg-openpgp-abuse-resistant-keystore-03#section-10
But those approaches need more end-user tooling that currently doesn't
exist. Vincent, the lead maintainer of keys.openpgp.org also has some
suggestions that i aim to merge into this proposal. I want to make it
more palatable for anyone running such a redistribution mechanism:
https://gitlab.com/dkg/draft-openpgp-abuse-resistant-keystore/merge_requests/13
I hope that if there are other people who want to do safe/sane OpenPGP
certificate distribution mechanisms that they speak up about this work
and indicate what their preferences are.
And of course, none of these approaches prevent you from sending any
OpenPGP certificate you have a copy of to anyone who you want via
whatever your preferred channels are (e.g., in an e-mail directly).
> Btw. it's great that there is some progress for mutt:
> https://gitlab.com/muttmua/mutt/issues/28
I'm excited by this too :)
--dkg
Attachment:
signature.asc
Description: PGP signature