[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Support WKD (and WKS) for @debian.org email addresses?


just testing the waters, whether this is something people like or not:

As we all know, false PGP keys can easily be forged for any given
email address and uploaded to key servers. We've been there, even with
the correct short key ids and equally faked signatures!

One way to help senders getting the real receivers key is WKD (web key
directory). That is one HTTPS URL per email address, e.g. a static
directory with PGP key files. (See https://wiki.gnupg.org/WKD)

Example: To get the public key of Linus Torvalds, you type

$ gpg --auto-key-locate wkd --locate-keys torvalds@kernel.org

which fetches the public key from this URL:


Of course, WKD is only about fetching the key. The actual decision to
trust or not a key, let alone sign it, does not change by use of WKD.

The second thing is WKS (web key service): This is a protocol/tool to
publish, update or de-puplish keys via WKD in a standardized form.
(See https://wiki.gnupg.org/WKS)

Do we want WKD for debian.org, like gentoo.org and kernel.org?

TIA for your opinions & Cheers

Reply to: