Adding support for fetching GPG key using WKD protocol

Fabian Groffen grobian at gentoo.org
Thu Jul 5 07:13:45 UTC 2018


Hi,

Just wondering, I've got "auto-key-retrieve" set in my gpg.conf.  I'm
using gpgme, and as far as I'm aware it fetches keys it doesn't know
upon reading the message (gives a little delay) to verify the signature
is OK.

Is this a different thing somehow?

Thanks,
Fabian


On 04-07-2018 23:27:23 +0200, Wiktor Kwapisiewicz wrote:
> Hello mutt-dev,
> 
> I would like to extend mutt to add fetching GPG keys over Web Key 
> Directory protocol.
> 
> (I've previously created an issue on gitlab [0] but I'll summarize the 
> thing here for the broader audience).
> 
> Web Key Directory is a new scheme for GPG key discovery. It converts the 
> e-mail address to HTTPS URL and fetches the key from there. It is 
> already supported by some e-mail clients (EnigMail, GpgOL).
> 
> For example kernel.org has it enabled and Linus' key is at: 
> https://kernel.org/.well-known/openpgpkey/hu/pf113mfnx1f3eb1yiwhsipa91xfc7o4x
> 
> As GnuPG 2 has it enabled by default "gpg --locate-key 
> torvalds at kernel.org" will fetch that key.
> 
> I've been exploring mutt's source code and the change would mostly be 
> enabling external lookup for keys that are not locally present [1] when 
> encryption is explicitly turned on (gpgme backend).
> 
> That raises some privacy issues, the same was discussed on gnupg-devel 
> ML [2] (gpg by default will fetch the key via WKD when encrypting to a 
> recipient but will *not* fetch the key when verifying signatures).
> 
> The question is how to do it well. Maybe ask the user if they want to 
> search for the key using WKD if it's not locally present?
> 
> An option would be the first choice but I worry about it not being used 
> at all (as people rarely enable non-standard features [3]).
> 
> Thank you for your consideration!
> 
> Kind regards,
> Wiktor
> 
> [0]: https://gitlab.com/muttmua/mutt/issues/55
> 
> [1]: gpgme_set_keylist_mode(ctx, 
> GPGME_KEYLIST_MODE_LOCAL|GPGME_KEYLIST_MODE_EXTERN); in 
> crypto-gpgme.c#get_candidates.
> 
> [2]: https://lists.gnupg.org/pipermail/gnupg-devel/2017-August/033021.html
> 
> [3]: https://gitlab.com/muttmua/mutt/issues/3
> 
> -- 
> https://metacode.biz/@wiktor

-- 
Fabian Groffen
Gentoo on a different level
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.mutt.org/pipermail/mutt-dev/attachments/20180705/01c4f0b6/attachment.asc>


More information about the Mutt-dev mailing list