Kevin Fenzi wrote: > Fas is on life support mode, but something could be added to the new > coming account system interface. I understand from this that the entire FAS will be replaced. I had previously gotten a vague impression that the new project would replace the authentication bits of FAS or something. > keys.openpgp.org offers a WKD as a service thing: > > https://keys.openpgp.org/about/usage Hmm. They state that they support the lookup protocol, but in their FAQ I find this statement: | The keys.openpgp.org service is meant for key distribution and | discovery, not as a de facto certification authority. Client | implementations that want to offer verified communication should rely | on their own trust model. That is, you're not supposed to trust that keys you receive from keys.openpgp.org are genuine. WKD, on the other hand, aims to solve that. The WKD Internet Draft (https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-09) says this about the Web Key Directory Update Protocol: | To put keys into the key directory a protocol to automate the task is | desirable. The protocol defined here is entirely based on mail and | the assumption that a mail provider can securely deliver mail to the | INBOX of a user (e.g. an IMAP folder). Securely dropping an email in a user's mailbox is no problem for an email provider that controls its own infrastructure. For a third party like keys.openpgp.org it's another matter. They state that they use MTA-STS and STARTTLS Everywhere to make sure that verification emails are sent over TLS, but what do they do if your email provider doesn't support SMTP over TLS? Do they refuse your key in that case? My guess is that they send the verification email unprotected, and that that's one reason why they say they're not a certification authority. Forwarding aliases like the addresses in fedoraproject.org add another complication. Even if Red Hat's mail servers support MTA-STS, there is no way for keys.openpgp.org to know whether the next hop will be secure. A directory server integrated with FAS's successor wouldn't have to try to verify keys over insecure email. Users could upload their key to their account, and that would be sufficient proof that the key is theirs. Björn Persson
Attachment:
pgpdlI1tKb1me.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
