Mailing List Archive

WKD: Publishing a key for multiple user IDs
Under ‘security considerations’ the current WKD draft says:

> The mail provider MUST make sure to publish a key in a way that only the
> mail address belonging to the requested user is part of the User ID
> packets included in the returned key. Other User ID packets and their
> associated binding signatures NUST be removed before publication.

So if I have two email addresses/user IDs me@my.org and me2@my.org
associated with the same key, I cannot just export the key and publish
it, right? I have to somehow publish two different ‘stripped’ public
keys.

Is there documentation somewhere how to produce the keys for both these
user IDs with GnuPG? (I don’t think the Python generate scripts do this
properly, or do they?)

Cheers,


--
David
Re: WKD: Publishing a key for multiple user IDs [ In reply to ]
On 16/07/2019 08:23, Wolfgang Traylor wrote:
> Try the gpg-wks-client command. It should try to automatically strip the user IDs. Werner Koch explained that in an old post:
> https://lists.gnupg.org/pipermail/gnupg-users/2019-February/061610.html
>
> Since my primary secret key is offline and I access it with the live system Tails, the gpg-wks-client does not work for me.
> Instead I used the following commands in the Linux command line on Tails:
>
> Export secret & public keys (including the primary key) into "primary_key.asc".
>
> ```
> # Work in a temporary directory, with a blank keyring.
> mkdir /tmp/gnupg_posteo
> gpg --homedir "/tmp/gnupg_posteo" --import primary_key.asc
> gpg --homedir "/tmp/gnupg_posteo" --edit-key <Key-ID>
>
> # Create new user ID with empty name and only the posteo address.
> # To add a comment like "WKD" or such is allowed.
> gpg> adduid
>
> # Delete all other user IDs.
> gpg> uid 1
> gpg> uid 2
> gpg> deluid
>
> # Save changes.
> gpg> save
>
> # Export the public key without any third-party signatures.
> gpg --homedir "/tmp/gnupg_posteo" --export-options="export-minimal" --armor --export <Key-ID> > key_for_posteo.asc
> ```

This is very helpful, thank you Wolfgang!
Re: WKD: Publishing a key for multiple user IDs [ In reply to ]
On Mon, 15 Jul 2019 18:03, gnupg-users@gnupg.org said:

> So if I have two email addresses/user IDs me@my.org and me2@my.org
> associated with the same key, I cannot just export the key and publish
> it, right? I have to somehow publish two different ‘stripped’ public

Sight. GnuPG handles this for you if your frontend uses gpg-wks-cleint
for this. You can use this tool also to create a local copy of server
data structure and then sysc it up.

> Is there documentation somewhere how to produce the keys for both these
> user IDs with GnuPG? (I don’t think the Python generate scripts do this

I don't known about Python scripts. Kmail, GpgOL, and Enigmail do the
publishing for you. You can also do it manuallay, see the Wiki.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: WKD: Publishing a key for multiple user IDs [ In reply to ]
On 16.07.2019 12:16, Werner Koch via Gnupg-users wrote:
>> So if I have two email addresses/user IDs me@my.org and me2@my.org
>> associated with the same key, I cannot just export the key and publish
>> it, right? I have to somehow publish two different ‘stripped’ public
>
> Sight. GnuPG handles this for you if your frontend uses gpg-wks-cleint
> for this. You can use this tool also to create a local copy of server
> data structure and then sysc it up.

If you've got only gpg installed you can use export filters to prepare a
stripped key:

$ gpg --export-options export-clean --export-filter keep-uid=mbox=$EMAIL
--export $EMAIL

Hope this helps.

Kind regards,
Wiktor

--
https://metacode.biz/@wiktor
Re: WKD: Publishing a key for multiple user IDs [ In reply to ]
Thanks everybody.

> > Is there documentation somewhere how to produce the keys for both these
> > user IDs with GnuPG? (I don’t think the Python generate scripts do this
>
> I don't known about Python scripts. Kmail, GpgOL, and Enigmail do the
> publishing for you. You can also do it manuallay, see the Wiki.

Exactly – I was referring to the Python scripts in the wiki:
https://wiki.gnupg.org/WKDHosting