On Sat, Feb 08, 2020 at 08:59:40PM +0100, Björn Persson wrote:
Josh Boyer wrote:
> > We may want to replace it with a simple Web Key Directory server:
> >
https://wiki.gnupg.org/WKD
> >
> > That would make it easy to lookup keys based on @fedoraproject.org
> > email addresses, and since keys can be replaced in the directory, it
> > avoids the problems with SKS attacks.
>
> I don't see that being valuable enough to actually invest the effort
> into doing it and maintaining it long term. If others are interested
> in hosting such a service, that would likely be welcome.
If such others were to step up to do the work, would they be able to
get the access needed to run it on Fedora infrastructure and integrate
with FAS?
Fas is on life support mode, but something could be added to the new
coming account system interface.
Note that a Web Key Directory can't be run as a third-party service.
It's a fundamental feature of the protocol that the directory server
exists in the same domain as the email address. Technically a subdomain
could be delegated, but this isn't a thing that should be tossed up on
the first cloud service handy, because an intruder in the server would
be able to replace people's keys and impersonate them.
keys.openpgp.org offers a WKD as a service thing:
https://keys.openpgp.org/about/usage
I think a Web Key Directory server would be good for the Fedora
Project's security, but it should run on hardware under the Fedora
Project's control.
Possibly. I'm really not sure how much it would be used.
kevin