Adding support for fetching GPG key using WKD protocol

[Wiktor Kwapisiewicz]

Hi Derek,

Thanks for your detailed e-mail! I will try to answer to points that 
you've raised to the best of my knowledge.

> On that basis I think Mutt should force the user to explicitly decide
> that they want to fetch a key, by doing so through the gnupg
> interface.

Is asking the user if they want to fetch the key interactively (if the 
key is not found locally) not an explicit decision? Or do you mean that 
the user should exit mutt and run gpg manually?

> Another way to look at this:  Mutt likes to relegate tasks to an
> application which is designated for that task.  In this case, gnupg
> (or whatever) is the application relegated to managing PGP keys.  As
> such the user should configure THAT application, to the extent
> possible, to do what they want with keys, and Mutt should ignore the
> problem.

Yes, I agree. The problem is that GPGME does not respect user 
preferences w.r.t. key retrieval (stored in gpg.conf). I will ask on 
gnupg-devel list if this is by design.

> As a side note, I think automatic key retrieval of any sort largely
> defeats the purpose of encryption.  You have no idea if the key you've
> downloaded actually belongs to the person you think it should belong
> to, excepting the case where the key is just a refresh of a key you've
> already manually verified (i.e. key is signed by a key you already
> have verified, belonging to the same person).  There are sometimes
> other reasons, or other means by which to trust such keys (e.g. the
> web of trust); but in the general case it is simply stupid to do so
> without manually verifying the key and its owner's identity yourself.
> You can consider that an additional argument to not support the
> feature if you like.

Mutt already has appropriate messages relating to key validity 
(crypt-gpgme.c:1330) for example "WARNING: We have NO indication whether 
the key belongs to the person named as shown above" and key retrieval 
doesn't change that.

But consider the situation, you have signed a key of person B and you 
fully trust them, now you want to contact me and my key is signed with 
person's B key. It doesn't matter how you retrieve my key, when you 
import it it will be fully valid (as you trust person's B signatures). 
What WKD changes is you'll get my key from my domain and you won't have 
to search keyserver's for all potential keys looking for one that is 
signed by one of your trusted contacts.

Another example (a little bit more contrived): I want to report broken 
links on your home page :) (pizzashack.org)... confidentially. How would 
I do that? I would obviously get your key from your page 
(http://pizzashack.org/~ddm/pgp.key), WKD does just that, gets your key 
from your site. It *does not* make it trusted, signed or anything else. 
But I could at least send you the end-to-end encrypted message.

Actually that's how I got the idea of adding WKD to mutt: one person 
couldn't reply to my PGP message with encryption because they couldn't 
find my key (my guess is that the keyservers were failing but that's 
immaterial).

Thanks for your time!

Kind regards,
Wiktor

-- 
https://metacode.biz/@wiktor