[Pkg-privacy-maintainers] Bug#931465: monkeysphere-authentication: improve OpenPGP certificate retrieval

[Daniel Kahn Gillmor]

Package: monkeysphere
Version: 0.44-1
Severity: wishlist

Given the ongoing troubles with OpenPGP certificate distribution (SKS
certificate flooding, etc), it would be good to have a way to manually
inject certificates that the monkeysphere-authentication subsystem could
know about.

It would also be good to be able to discover OpenPGP certificates from
user IDs based on alternate query approaches, like WKD, DANE/OPENPGPKEY,
etc.

Currently, an administrator might do:

    monkeysphere-authentication gpg-cmd --import < /path/to/newcert.key

or

    monkeysphere-authentication gpg-cmd --locate-keys email at example.org

But i'd really like to deprecate "monekysphere-authentication gpg-cmd"
in general (so that we can at some point implement monkeysphere without
using gpg on the backend).

So that suggests that the local administrator who has some other means
of certificate retrieval probably wants to be able to do:

    monkeysphere-authentication import < /path/to/newcert.key

And that "monkeysphere-authentication update-users" ought to do WKD and
DANE lookups where possible when trying to discover new certificates.

This also means that it's likely that monkeysphere-authentication needs
to think about how to refresh (for revocations, subkey updates)
differently than it does for lookup by user ID.

With these fixes in place, monkeysphere should probably also focus on
fetching refreshes from some stable, robust keyserver like
hkps://keys.openpgp.org.

So this bug report is asking for all of these fixes in
monekysphere-authentication.

      --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-privacy-maintainers/attachments/20190705/0ef491e6/attachment.sig>