GnuPG 2.2.17 ignores all key signatures of key servers by default:

lists.gnupg.org/pipermail/gnup

– this could be the end of the the traditional web of trust of GnuPG
– there are additional changes to prefer WKD (tools.ietf.org/html/draft-koch) over key servers

Web of Trust will still work over WKD, and that’s okay. This basically mirrors current usage of Web of Trust anyway. For example kernel.org requires their developers to cross-sign each other keys (https://old.lwn.net/Articles/461236/) and they provide developer keys over WKD (https://www.kernel.org/category/signatures.html#using-the-web-key-directory).

The same system (WKD+signatures) is deployed by other major distros: Gentoo and Debian.

Arguably each organization that has HTTPS site and uses heavily PGP should deploy WKD. Some high profile journalist sites already do (e.g. https://www.occrp.org).

Sign in to participate in the conversation
Mastodon

mastodon.at is a microblogging site that federates with most instances on the Fediverse. Note: This instance will shut down on February 29th, 2020.