Add "verified" checkbox to e-mail address using WKD #95

Open
opened 1 year ago by wiktor · 3 comments
wiktor commented 1 year ago

An idea:

Keyoxide could additionally verify if the e-mail address displayed in profile has associated key retrievable via WKD and if it's the same key it could display a verified checkbox.

Thus even visiting key via fingerprint: https://keyoxide.org/9f0048ac0b23301e1f77e994909f6bd6f80f485d would trigger WKD lookups to see if the keyowner controls the e-mail's domain too.

An idea: Keyoxide could additionally verify if the e-mail address displayed in profile has associated key retrievable via WKD and if it's the same key it could display a verified checkbox. Thus even visiting key via fingerprint: https://keyoxide.org/9f0048ac0b23301e1f77e994909f6bd6f80f485d would trigger WKD lookups to see if the keyowner controls the e-mail's domain too.
Owner

But wouldn't you agree this is quite a "niche" verification? People with an address hosted by an email provider wouldn't benefit from this, only the selfhosters would.

I agree email verification is still lacking and quite an improvement if implemented. I suppose we could also instantly verify email addresses when keys.openpgp.org returns the data to us.

But wouldn't you agree this is quite a "niche" verification? People with an address hosted by an email provider wouldn't benefit from this, only the selfhosters would. I agree email verification is still lacking and quite an improvement if implemented. I suppose we could also instantly verify email addresses when keys.openpgp.org returns the data to us.
Poster

But wouldn't you agree this is quite a "niche" verification? People with an address hosted by an email provider wouldn't benefit from this, only the selfhosters would.

Agreed. Still this is nice that the key have been validated "at the source" instead of relying purely on keys.openpgp.org :)

I agree email verification is still lacking and quite an improvement if implemented. I suppose we could also instantly verify email addresses when keys.openpgp.org returns the data to us.

Yep, that's also one interesting angle: even for WKD keys e-mails could be cross-verified with keys.openpgp.org.

I also had an idea of e-mail verification through DKIM signing similar to https://people.kernel.org/monsieuricon/end-to-end-patch-attestation-with-patatt-and-b4 but... maybe I'll leave it to another time :)

> But wouldn't you agree this is quite a "niche" verification? People with an address hosted by an email provider wouldn't benefit from this, only the selfhosters would. Agreed. Still this is nice that the key have been validated "at the source" instead of relying purely on keys.openpgp.org :) > I agree email verification is still lacking and quite an improvement if implemented. I suppose we could also instantly verify email addresses when keys.openpgp.org returns the data to us. Yep, that's also one interesting angle: even for WKD keys e-mails could be cross-verified with keys.openpgp.org. I also had an idea of e-mail verification through DKIM signing similar to https://people.kernel.org/monsieuricon/end-to-end-patch-attestation-with-patatt-and-b4 but... maybe I'll leave it to another time :)
Owner

Ok, sounds like an useful enhancement. Planning on implementing.

Ok, sounds like an useful enhancement. Planning on implementing.
yarmo added the
enhancement
label 12 months ago
yarmo added this to the Feature development project 12 months ago
Sign in to join this conversation.
No Milestone
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.