Josh Boyer wrote: > > We may want to replace it with a simple Web Key Directory server: > > https://wiki.gnupg.org/WKD > > > > That would make it easy to lookup keys based on @fedoraproject.org > > email addresses, and since keys can be replaced in the directory, it > > avoids the problems with SKS attacks. > > I don't see that being valuable enough to actually invest the effort > into doing it and maintaining it long term. If others are interested > in hosting such a service, that would likely be welcome. If such others were to step up to do the work, would they be able to get the access needed to run it on Fedora infrastructure and integrate with FAS? Note that a Web Key Directory can't be run as a third-party service. It's a fundamental feature of the protocol that the directory server exists in the same domain as the email address. Technically a subdomain could be delegated, but this isn't a thing that should be tossed up on the first cloud service handy, because an intruder in the server would be able to replace people's keys and impersonate them. I think a Web Key Directory server would be good for the Fedora Project's security, but it should run on hardware under the Fedora Project's control. Björn Persson
Attachment:
pgpIQ3DLo8g5a.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx