Hello mutt-dev,
I would like to extend mutt to add fetching GPG keys over Web Key
Directory protocol.
(I've previously created an issue on gitlab [0] but I'll summarize the
thing here for the broader audience).
Web Key Directory is a new scheme for GPG key discovery. It converts the
e-mail address to HTTPS URL and fetches the key from there. It is
already supported by some e-mail clients (EnigMail, GpgOL).
For example kernel.org has it enabled and Linus' key is at:
https://kernel.org/.well-known/openpgpkey/hu/pf113mfnx1f3eb1yiwhsipa91xfc7o4x
As GnuPG 2 has it enabled by default "gpg --locate-key
torva...@kernel.org" will fetch that key.
I've been exploring mutt's source code and the change would mostly be
enabling external lookup for keys that are not locally present [1] when
encryption is explicitly turned on (gpgme backend).
That raises some privacy issues, the same was discussed on gnupg-devel
ML [2] (gpg by default will fetch the key via WKD when encrypting to a
recipient but will *not* fetch the key when verifying signatures).
The question is how to do it well. Maybe ask the user if they want to
search for the key using WKD if it's not locally present?
An option would be the first choice but I worry about it not being used
at all (as people rarely enable non-standard features [3]).
Thank you for your consideration!
Kind regards,
Wiktor
[0]: https://gitlab.com/muttmua/mutt/issues/55
[1]: gpgme_set_keylist_mode(ctx,
GPGME_KEYLIST_MODE_LOCAL|GPGME_KEYLIST_MODE_EXTERN); in
crypto-gpgme.c#get_candidates.
[2]: https://lists.gnupg.org/pipermail/gnupg-devel/2017-August/033021.html
[3]: https://gitlab.com/muttmua/mutt/issues/3
--
https://metacode.biz/@wiktor
