Notmuch support for GnuPG Web Key Directory

Notmuch support for GnuPG Web Key Directory

[Ralph Seichter]

You may have followed a recent discussion on the GnuPG mailing list
regarding poisoned keys on SKS key servers, and possible alternatives.

I have set up a Web Key Directory (see https://wiki.gnupg.org/WKD),
which is easy to do, and now I am wondering about Notmuch support for
WKD. Has anybody considered this, and perhaps even compiled a list of
necessary steps to implement it?

-Ralph

Re: Notmuch support for GnuPG Web Key Directory

[Teemu Likonen]

[-- Attachment #1: Type: text/plain, Size: 1301 bytes --]

Ralph Seichter [2019-07-10T21:58:00+02] wrote:

> I have set up a Web Key Directory (see https://wiki.gnupg.org/WKD),
> which is easy to do, and now I am wondering about Notmuch support for
> WKD. Has anybody considered this, and perhaps even compiled a list of
> necessary steps to implement it?

What WKD support would mean for Notmuch front-end programs? I know that
WKD is a key locating technology for GnuPG or OpenPGP keys in general
but it seems to me that it is GnuPG's job. With "auto-key-locate"
settings in place a command like

    gpg --encrypt --recipient person@domain

would include WKD key lookup if the recipient's key isn't found from the
local keyring. Also, signature checking with "auto-key-retrieve" option
in GnuPG 2.2.17 will prefer WKD over keyservers (by default).

So, what is there left for Notmuch and email clients? Do you mean a
button like "Locate message sender's key" which would run a command like
this:

    gpg --auto-key-locate clear,nodefault,wkd,keyserver \
        --locate-key person@domain

(Or use --locate-external-key which is in GnuPG 2.2.17.)

-- 
///  OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450
//  https://keys.openpgp.org/search?q=tlikonen@iki.fi
/  https://keybase.io/tlikonen  https://github.com/tlikonen

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]

Re: Notmuch support for GnuPG Web Key Directory

[Teemu Likonen]

[-- Attachment #1: Type: text/plain, Size: 1090 bytes --]

Teemu Likonen [2019-07-20T08:53:01+03] wrote:

> What WKD support would mean for Notmuch front-end programs?

> So, what is there left for Notmuch and email clients?

Oh, in email clients there is at least one thing to do in order to
support WKD: using gpg's "--sender" option with the sender's email
address when signing a message (if that email user ID is in sender's
key). The "--sender" option includes that email in the signature so WKD
lookup can use that. More information in gpg(1) manual page, especially
in options "--sender" and "--auto-key-retrieve".

I recently added Emacs's message-mode (and epg) that very feature. It's
in the development branch (master) since commit
emacs-26.1-6339-g74579d3d2b (2019-07-13).

http://git.savannah.gnu.org/cgit/emacs.git/commit/?id=74579d3d2bb82f300a6f2d81b7b559f0a24061db

Variable mml-secure-openpgp-sign-with-sender has to be non-nil.

-- 
///  OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450
//  https://keys.openpgp.org/search?q=tlikonen@iki.fi
/  https://keybase.io/tlikonen  https://github.com/tlikonen

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]