Adding support for fetching GPG key using WKD protocol
wiktor at metacode.biz
Fri Jul 6 19:12:26 UTC 2018
Thanks for your detailed e-mail! I will try to answer to points that
you've raised to the best of my knowledge.
> On that basis I think Mutt should force the user to explicitly decide
> that they want to fetch a key, by doing so through the gnupg
Is asking the user if they want to fetch the key interactively (if the
key is not found locally) not an explicit decision? Or do you mean that
the user should exit mutt and run gpg manually?
> Another way to look at this: Mutt likes to relegate tasks to an
> application which is designated for that task. In this case, gnupg
> (or whatever) is the application relegated to managing PGP keys. As
> such the user should configure THAT application, to the extent
> possible, to do what they want with keys, and Mutt should ignore the
Yes, I agree. The problem is that GPGME does not respect user
preferences w.r.t. key retrieval (stored in gpg.conf). I will ask on
gnupg-devel list if this is by design.
> As a side note, I think automatic key retrieval of any sort largely
> defeats the purpose of encryption. You have no idea if the key you've
> downloaded actually belongs to the person you think it should belong
> to, excepting the case where the key is just a refresh of a key you've
> already manually verified (i.e. key is signed by a key you already
> have verified, belonging to the same person). There are sometimes
> other reasons, or other means by which to trust such keys (e.g. the
> web of trust); but in the general case it is simply stupid to do so
> without manually verifying the key and its owner's identity yourself.
> You can consider that an additional argument to not support the
> feature if you like.
Mutt already has appropriate messages relating to key validity
(crypt-gpgme.c:1330) for example "WARNING: We have NO indication whether
the key belongs to the person named as shown above" and key retrieval
doesn't change that.
But consider the situation, you have signed a key of person B and you
fully trust them, now you want to contact me and my key is signed with
person's B key. It doesn't matter how you retrieve my key, when you
import it it will be fully valid (as you trust person's B signatures).
What WKD changes is you'll get my key from my domain and you won't have
to search keyserver's for all potential keys looking for one that is
signed by one of your trusted contacts.
Another example (a little bit more contrived): I want to report broken
links on your home page :) (pizzashack.org)... confidentially. How would
I do that? I would obviously get your key from your page
(http://pizzashack.org/~ddm/pgp.key), WKD does just that, gets your key
from your site. It *does not* make it trusted, signed or anything else.
But I could at least send you the end-to-end encrypted message.
Actually that's how I got the idea of adding WKD to mutt: one person
couldn't reply to my PGP message with encryption because they couldn't
find my key (my guess is that the keyservers were failing but that's
Thanks for your time!
More information about the Mutt-dev