Mailing List Archive

On Montag, 31. Januar 2022 15:58:22 CET Piotr Morgwai Kotarbinski via Gnupg-
users wrote:
> I have a public key with a photo-ID uploaded to WKD at my domain and when I
download it manually and import to gpg, everything works as expected:
[...]
> However if I try to locate the same key automatically using WKD mechanism,
then the attached photo-ID is not imported into my keyring:
[...]
> Is this intended or is it a bug?

Yes, this is intended. Keys retrieved via WKD are always imported with the
equivalent of the import filter {keep-uid=<email address used for WKD
retrieval>}.

The reasoning is that only user ids matching the email address used to
retrieve the key via WKD can be somewhat trusted (if you trust the people
running the WKS). Any other user id including photo ids on the key could be
fake, i.e. you could easily add the photo of another person as photo id to
your key.

Regards,
Ingo

hmm: I don't seem to follow:
if a user decided to trust (to certain extent) some domain's WKS admins regarding key fingerprints (for example the user trusts that the WKS admins verify key fingerprints with members of their organization by some means of their internal procedures), it seems quite arbitrary to assume that the user should definitely NOT trust the same admins regarding photo-IDs verification (for example the admins may be comparing photo-IDs with photos from their HR DB before publishing to the WKD). It seems to me, that a decision whether to trust some WKD regarding photo-IDs should be made by individual users based on their knowledge/feeling about security practices in the given organization. Users can "store" such feelings in their keyring by either (l)signing the given photo-ID, leaving it as is, or deleting it themselves.

Furthermore, it may happen that some photo-ID stored in a WKD is signed by a 3rd party that is already trusted by the user. Stripping such photo-ID may unnecessarily conceal information that may be useful/important to the user.

Am I missing maybe some part of the story that invalidates my reasoning?

Thanks!



PS: Happy new lunar year to everyone! :)



On 01/02/2022 00:53, Ingo Kl?cker wrote:
> On Montag, 31. Januar 2022 15:58:22 CET Piotr Morgwai Kotarbinski via Gnupg-
> users wrote:
>> I have a public key with a photo-ID uploaded to WKD at my domain and when I
> download it manually and import to gpg, everything works as expected:
> [...]
>> However if I try to locate the same key automatically using WKD mechanism,
> then the attached photo-ID is not imported into my keyring:
> [...]
>> Is this intended or is it a bug?
>
> Yes, this is intended. Keys retrieved via WKD are always imported with the
> equivalent of the import filter {keep-uid=<email address used for WKD
> retrieval>}.
>
> The reasoning is that only user ids matching the email address used to
> retrieve the key via WKD can be somewhat trusted (if you trust the people
> running the WKS). Any other user id including photo ids on the key could be
> fake, i.e. you could easily add the photo of another person as photo id to
> your key.
>
> Regards,
> Ingo
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users
>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

On Dienstag, 1. Februar 2022 18:22:00 CET Piotr Morgwai Kotarbinski via Gnupg-
users wrote:
> hmm: I don't seem to follow:
> if a user decided to trust (to certain extent) some domain's WKS admins
> regarding key fingerprints

That's not what I meant by "trust the WKS admins". What I meant is whether you
trust the WKS admins to make sure that only those people who control a certain
email address can upload an OpenPGP key for this email address to the WKS.

> (for example the user trusts that the WKS admins
> verify key fingerprints with members of their organization by some means of
> their internal procedures), it seems quite arbitrary to assume that the
> user should definitely NOT trust the same admins regarding photo-IDs
> verification (for example the admins may be comparing photo-IDs with photos
> from their HR DB before publishing to the WKD).

Verification of user ids and photo-IDs should be documented by signing those
entities. If you trust the WKS admins (or some other entity), that they
properly verify user ids and photo-IDs then you sign their key (probably with
a non-exportable signature) and set the owner trust of their key. This has
nothing to do with WKS and that's not the problem that WKS is trying to solve.
It's plain old web-of-trust.

> Furthermore, it may happen that some photo-ID stored in a WKD is signed by a
> 3rd party that is already trusted by the user. Stripping such photo-ID may
> unnecessarily conceal information that may be useful/important to the user.
>
> Am I missing maybe some part of the story that invalidates my reasoning?

Distribution of OpenPGP keys with loads of user ids including photo-IDs is not
what WKD is about. It's about providing a well defined location for looking
for the OpenPGP key for a single email address. GnuPG decided that it strips
any user ids not matching the email address from the downloaded key during the
import. Note that GnuPG internally marks keys/user ids downloaded via WKD as
such. In the future this may allow users of GnuPG to tell gpg that it should
automatically treat keys retrieved via WKD (probably for certain domains) as
partially or fully valid.

If you want to get everything someone uploaded to some WKS, then simply
download the public key block from the well defined URL and then import it
with gpg. Using the --key-origin option you can even tell gpg, that it should
treat this public key block as if it was downloaded via WKD. (I have not
really verified whether gpg really treats such an import identical to a WKD
retrieval.)

Regards,
Ingo