On Tue, Jan 19, 2021 at 2:36 AM Ángel <an...@pgp.16bits.net> wrote: > > On 2021-01-17 at 23:43 +0000, Stefan Claas via Gnupg-users wrote: > > I encountered only one MITM attack a couple of years ago so far, from an > > SKS user. He was a retired police officer from Austria, who contacted me. > > But what you say I was thinking about as well. My proposal was to include > > in the policy file fingerprint(s) of key(s) and generate an .ots file, from > > opentimestamps.org, from the policy file and put that .ots file somewhere. > > In the old days it was common, prior starting encrypted comms to compare > > fingerprints over other channels. > > If you can safely publish that ots file, you could as well publish your > openpgp key in the same place. > > And if you are exchanging fingerprints over a separate, secure channel, > you can use that to directly verify/fetch the key. > > > (It often makes sense to publish it in many redundant ways, but > strictly it _shouldn't_ be needed)
My thinking is the following, if there would be a consensus for this by the OpenPGP community, after discussing this, while currently not breaking the specs, it could be arranged like thisl: The submitting part of an policy file, containing the fingerprint(s) can be done even on a compromised online computer, because the policy file is immediately accepted by opentimestamps.org and others and then included in the Bitcoin blockchain. As suggestion, for easy implementation,, for WKD clients, could be that then the policy.ots file is placed in the same directory the policy file resides. A policy file could look like this, with remark lines at the beginning: # WKD policy for sac001.github.io # Maintainer: Stefan Claas, ste...@sac001.github.io # Updated: current date of last update. fingerprint #1 fingerprint #2 etc. A WKD client could then fetch with an additional --all parameter all three files and save them in the current working directory, e.g pub key, policy file and policy.ots, thus allowing a WKD users to quickly check, if desired, to compare the downloaded data with the sha256 hash at opentimestamp.org and others. To make it for Mallory harder to exchange the whole directory a WKD user could for example put in his MUA/NUA .signature file the following: WOH sha256 hash. instead of gpg pub key availabe at etc. WOH = WKD-OTS-Hash And a WKD client could do this as CLI app: wkd get [--all] al...@example.com Well, only a proposal. Best regards Stefan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
