outline koo; add 1pa3pc

book/source/04-certificates.md

@@ -628,3 +628,27 @@ Without any restrictions in place, malicious entities can flood a certificate wi
 It also opens the door to potential denial-of-service attacks, rendering the certificate non-functional or significantly impeding its operation.
 
 The popular [SKS keyserver network experienced certificate flooding firsthand](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html) in 2019, causing significant changes to its operation.
+
+```{note}
+The *keys.openpgp.org* (KOO) service performs a similar function as the SKS-style keyservers.
+However, there are major differences in its design and tradeoffs.
+ 
+The KOO keyserver was designed to:
+
+1. conform to [GDPR regulations](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation), and
+2. be resistant to flooding-style vandalism.
+ 
+To achieve these goals, KOO does not serve identitiy components at all, unless an explicit opt-in has been performed, using a confirmation process vial email. Third-party certifications are also not served by default, but only under very specific circumstances, which preclude flooding.
+```
+
+### First-party attestation of third-party signatures (1pa3pc)
+
+First-party attestation of third-party signatures (1pa3pc) was designed as a mechanism for flooding-proof distribution of third-part certifications.
+
+TODO
+
+#### Support
+
+The *keys.openpgp.org* (KOO) keyserver [supports *1pa3pc*](https://gitlab.com/keys.openpgp.org/hagrid/-/commit/39c0e12ac64588220d36bada6497d8396f5915b3).
+
+The Hockeypuck keyserver software [plans to add support for *1pa3pc*](https://github.com/hockeypuck/hockeypuck/issues/136#issuecomment-1812466084) in version 2.2.0.