Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. devel
wks for sign-only keys
gnupg at eckner
Jan 9, 2019, 2:55 AM
Post #1 of 8 (577 views)
Permalink
Hi,

I'm currently setting up wkd and wks on my server. This works great for
keys which can encrypt and sign. However, when I try to publish a
sign-only key, I get:

> /usr/lib/gnupg/gpg-wks-client -vvv --create
5FDCA472AB93292BC678FD59255A76DB9A12601A arch-packages@eckner.net
gpg-wks-client: gpg: writing to stdout
gpg-wks-client: submitting request to 'key-submission@szilassi.eckner.net'
gpg-wks-client: gpg: Total number processed: 1
gpg-wks-client: submitting key with user id 'Erich Eckner (just to sign
arch packages) <arch-packages@eckner.net>'
gpg-wks-client: gpg: 5FDCA472AB93292BC678FD59255A76DB9A12601A: skipped:
Unusable public key
gpg-wks-client: gpg: [stdin]: encryption failed: Unusable public key
gpg-wks-client: error running '/usr/bin/gpg': exit status 2
gpg-wks-client: encryption failed: Unusable public key
gpg-wks-client: creating request failed: Unusable public key

I understand, that the wks server sends back an encrypted email - which
it can't with the sign-only key. However, would it be possible to fall
back to an unencrypted email for keys which are not suited for
encrypting? In the end, the content will still be signed, thus authentic.

My understanding is, that the encrypted email from wks to the client
ensures:
a) client has the private key (unnecessary, as it already signed
something - or can be verified again by signing some given content)
b) client actually wants to publish its key (for that, no encryption is
needed, just a valid signature from the wks and from the client for the
answer)
Am i right?

regards,
Erich

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: wks for sign-only keys [ In reply to ]
bernhard at intevation
Jan 11, 2019, 12:05 AM
Post #2 of 8 (577 views)
Permalink
Am Mittwoch 09 Januar 2019 11:55:12 schrieb Erich Eckner:
> I'm currently setting up wkd and wks on my server. This works great for
> keys which can encrypt and sign. However, when I try to publish a

> gpg-wks-client: creating request failed: Unusable public key

One of the design ideas of WKD/WKS is that it is as simple as possible.
A pubkey without the ability to be encrypted to is a special case.

Maybe some special cases could be supported in the future, but in my view this
would need a very good reason, so that the hassle of added complexity is worth
it.

So what is your use case? Why not just use a pubkey with allows encryption
and do not use it, if you don't need it? To me the encryption test has the
advantage to check that it is actually possible to retrieve a pubkey for an
email address and right away use it for encryption to this address.


Best Regards,
Bernhard

--
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

Attached Files:

Re: wks for sign-only keys [ In reply to ]
wk at gnupg
Jan 11, 2019, 12:40 AM
Post #3 of 8 (577 views)
Permalink
On Wed, 9 Jan 2019 11:55, gnupg@eckner.net said:

> it can't with the sign-only key. However, would it be possible to fall
> back to an unencrypted email for keys which are not suited for
> encrypting? In the end, the content will still be signed, thus authentic.

The purpose of the Web Key Directory is to provide an encryption key for
a given mail address. It is entirely useless for a signing key because
a verifying party can't find the key using the Web Key directory because
the lookup is by the mail address and not by the fingerprint, which is
provided as part of the signature.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Attached Files:

Re: wks for sign-only keys [ In reply to ]
gnupg at eckner
Jan 11, 2019, 12:46 AM
Post #4 of 8 (577 views)
Permalink
On 11.01.19 09:05, Bernhard Reiter wrote:
> Am Mittwoch 09 Januar 2019 11:55:12 schrieb Erich Eckner:
>> I'm currently setting up wkd and wks on my server. This works great for
>> keys which can encrypt and sign. However, when I try to publish a
>
>> gpg-wks-client: creating request failed: Unusable public key
>
> One of the design ideas of WKD/WKS is that it is as simple as possible.
> A pubkey without the ability to be encrypted to is a special case.
>
> Maybe some special cases could be supported in the future, but in my view this
> would need a very good reason, so that the hassle of added complexity is worth
> it.
>
> So what is your use case? Why not just use a pubkey with allows encryption
> and do not use it, if you don't need it? To me the encryption test has the
> advantage to check that it is actually possible to retrieve a pubkey for an
> email address and right away use it for encryption to this address.
>
>
> Best Regards,
> Bernhard

My use case is a key for (automatic) signing of packages and/or
archives. To avoid any confusions, I created the key without capability
of encryption (no emails should be sent to that address - besides of
course wks emails).
If it would add much complexity to allow for uploading sign-only keys, I
guess, I'm fine with replacing the key with one that can also encrypt -
or uploading the key manually to wkd.

regards,
Erich

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: wks for sign-only keys [ In reply to ]
gnupg at eckner
Jan 11, 2019, 12:47 AM
Post #5 of 8 (577 views)
Permalink
On 11.01.19 09:40, Werner Koch wrote:
> On Wed, 9 Jan 2019 11:55, gnupg@eckner.net said:
>
>> it can't with the sign-only key. However, would it be possible to fall
>> back to an unencrypted email for keys which are not suited for
>> encrypting? In the end, the content will still be signed, thus authentic.
>
> The purpose of the Web Key Directory is to provide an encryption key for
> a given mail address. It is entirely useless for a signing key because
> a verifying party can't find the key using the Web Key directory because
> the lookup is by the mail address and not by the fingerprint, which is
> provided as part of the signature.
>
>
> Shalom-Salam,
>
> Werner
>

oh, I haven't thought of that. Thanks for the explanation /
clarification :-)

regards,
Erich

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: wks for sign-only keys [ In reply to ]
bernhard at intevation
Jan 11, 2019, 2:08 AM
Post #6 of 8 (577 views)
Permalink
Am Freitag 11 Januar 2019 09:46:05 schrieb Erich Eckner:
> To avoid any confusions, I created the key without capability
> of encryption (no emails should be sent to that address - besides of
> course wks emails).

An interessting question then is: What do you do, if you an email is send to
this address? :) Even if you throw them away, being able to encrypt is
important, because users may have send you some interesting information.
If you don't want email send at all, why offering an email address?

> If it would add much complexity to allow for uploading sign-only keys, I
> guess, I'm fine with replacing the key with one that can also encrypt

Given my assumptions above this maybe the better solution for you anyway. ;)

Regards,
Bernhard

--
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

Attached Files:

Re: wks for sign-only keys [ In reply to ]
gnupg at eckner
Jan 11, 2019, 2:20 AM
Post #7 of 8 (577 views)
Permalink
On 11.01.19 11:08, Bernhard Reiter wrote:
> Am Freitag 11 Januar 2019 09:46:05 schrieb Erich Eckner:
>> To avoid any confusions, I created the key without capability
>> of encryption (no emails should be sent to that address - besides of
>> course wks emails).
>
> An interessting question then is: What do you do, if you an email is send to
> this address? :) Even if you throw them away, being able to encrypt is
> important, because users may have send you some interesting information.
> If you don't want email send at all, why offering an email address?

Email will be discarded. I was simply offering an email address, because
I thought it was mandatory (but now I see, that it is not).

>
>> If it would add much complexity to allow for uploading sign-only keys, I
>> guess, I'm fine with replacing the key with one that can also encrypt
>
> Given my assumptions above this maybe the better solution for you anyway. ;)

Yes, either that or a key without an email address and manual upload to
the wkd.

regards,
Erich

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: wks for sign-only keys [ In reply to ]
bernhard at intevation
Jan 11, 2019, 3:25 AM
Post #8 of 8 (577 views)
Permalink
Am Freitag 11 Januar 2019 11:20:00 schrieb Erich Eckner:
> or a key without an email address and manual upload to the wkd.

This won't work.
As Werner wrote: WKD shall give the pubkey for an email address.
So if there is no known email address, no pubkey can be found (or will be
accessed).

--
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal