[
https://issues.apache.org/jira/browse/WHIMSY-364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17381450#comment-17381450
]
Sebb commented on WHIMSY-364:
-----------------------------
An alternative is to use some other means of 'signing' the form.
Anyone can create and upload a key, so unless the key is in a web of trust,
does it provide any benefit to us?
Would it not be sufficient to validate the email address, e.g. by requiring a
confirmation?
> Need to switch PGP key server defaults again as SKS retired
> -----------------------------------------------------------
>
> Key: WHIMSY-364
> URL: https://issues.apache.org/jira/browse/WHIMSY-364
> Project: Whimsy
> Issue Type: Bug
> Components: SecMail
> Reporter: Matt Sicker
> Assignee: Craig L Russell
> Priority: Major
>
> https://code.firstlook.media/the-death-of-sks-pgp-keyservers-and-how-first-look-media-is-handling-it
> I'm surprised I didn't notice this back when we were switching to the SKS key
> server mirrors. It seems like we have a few options:
> * Use https://keys.openpgp.org which has stricter security, though it
> requires that key uploaders verify their email address with that site in
> order for their published keys to be publicly searchable (not sure if that
> applies to the key id directly)
> * GnuPG has a feature for storing and searching for PGP keys in LDAP if we
> want to host keys somewhere more standardized, but this doesn't help for
> people who don't already have an account
> * Offer some method for submitters to include an HTTPS link to download their
> PGP key
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
