Support WKD (and WKS) for @debian.org email addresses?

To: debian-project@lists.debian.org
Subject: Support WKD (and WKS) for @debian.org email addresses?
From: "W. Martin Borgert" <debacle@debian.org>
Date: Wed, 07 Nov 2018 17:36:24 +0100
Message-id: <[🔎] 20181107173624.Horde.ZKpIxuiksHKRzfj_B0w8z0c@webmail.in-berlin.de>

Hi,

just testing the waters, whether this is something people like or not:

As we all know, false PGP keys can easily be forged for any given
email address and uploaded to key servers. We've been there, even with
the correct short key ids and equally faked signatures!

One way to help senders getting the real receivers key is WKD (web key
directory). That is one HTTPS URL per email address, e.g. a static
directory with PGP key files. (See https://wiki.gnupg.org/WKD)

Example: To get the public key of Linus Torvalds, you type

$ gpg --auto-key-locate wkd --locate-keys torvalds@kernel.org

which fetches the public key from this URL:

https://kernel.org/.well-known/openpgpkey/hu/pf113mfnx1f3eb1yiwhsipa91xfc7o4x

Of course, WKD is only about fetching the key. The actual decision to
trust or not a key, let alone sign it, does not change by use of WKD.

The second thing is WKS (web key service): This is a protocol/tool to
publish, update or de-puplish keys via WKD in a standardized form.
(See https://wiki.gnupg.org/WKS)

Do we want WKD for debian.org, like gentoo.org and kernel.org?

TIA for your opinions & Cheers

Reply to:

Follow-Ups:
- Re: Support WKD (and WKS) for @debian.org email addresses?
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Support WKD (and WKS) for @debian.org email addresses?
  - From: Peter Palfrader <weasel@debian.org>

Prev by Date: Re: Bits from the Debian Anti-harassment team
Next by Date: Re: Support WKD (and WKS) for @debian.org email addresses?
Previous by thread: Re: Bits from the Debian Anti-harassment team
Next by thread: Re: Support WKD (and WKS) for @debian.org email addresses?
Index(es):
- Date
- Thread