On 18/01/2021 00.43, Stefan Claas wrote: > But what you say I was thinking about as well. My proposal was to include > in the policy file fingerprint(s) of key(s) and generate an .ots file, from > opentimestamps.org, from the policy file and put that .ots file somewhere. > In the old days it was common, prior starting encrypted comms to compare > fingerprints over other channels.
If you are coordinating the use of a separate channel to compare fingerprints, you can also just coordinate where the public keys are to be downloaded. As others have pointed out[1], it's even easier to set up than WKD (no rules to follow). And if you're not using the whole thing for e-mail, then you're probably not using an e-mail client with automatic WKD retrieval. So there is no benefit of using WKD over making up your own URL and telling that to your communication partners. [1]: https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064633.html > And regarding secure domains, would you consider VPS servers secure > too for WKD? I don't know about the servers, my point was about the domain control. Whoever can change the DNS records can just have them point to a different server with their own (malicious) content. GitHub Pages as a free web hosting service will certainly not give you the same security guarantees as a hosting provider where you pay money to administer a domain of your own. > BTW. I did not received yet your reply for my two other accounts, hence the > late reply. Sorry, I don't quite understand. Would you like a reply to be addressed directly in addition to the mailing list? Kind regards André -- Greetings... From: André Colomb <an...@colomb.de>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
