You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@whimsical.apache.org by "Sebb (Jira)" <ji...@apache.org> on 2021/07/15 16:13:00 UTC
[jira] [Commented] (WHIMSY-364) Need to switch PGP key server
defaults again as SKS retired
[ https://issues.apache.org/jira/browse/WHIMSY-364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17381450#comment-17381450 ]
Sebb commented on WHIMSY-364:
-----------------------------
An alternative is to use some other means of 'signing' the form.
Anyone can create and upload a key, so unless the key is in a web of trust, does it provide any benefit to us?
Would it not be sufficient to validate the email address, e.g. by requiring a confirmation?
> Need to switch PGP key server defaults again as SKS retired
> -----------------------------------------------------------
>
> Key: WHIMSY-364
> URL: https://issues.apache.org/jira/browse/WHIMSY-364
> Project: Whimsy
> Issue Type: Bug
> Components: SecMail
> Reporter: Matt Sicker
> Assignee: Craig L Russell
> Priority: Major
>
> https://code.firstlook.media/the-death-of-sks-pgp-keyservers-and-how-first-look-media-is-handling-it
> I'm surprised I didn't notice this back when we were switching to the SKS key server mirrors. It seems like we have a few options:
> * Use https://keys.openpgp.org which has stricter security, though it requires that key uploaders verify their email address with that site in order for their published keys to be publicly searchable (not sure if that applies to the key id directly)
> * GnuPG has a feature for storing and searching for PGP keys in LDAP if we want to host keys somewhere more standardized, but this doesn't help for people who don't already have an account
> * Offer some method for submitters to include an HTTPS link to download their PGP key
--
This message was sent by Atlassian Jira
(v8.3.4#803005)