hockeypuck note

2025-09-09 11:19:41 +02:00 · 2023-12-06 21:54:57 +01:00 · 2023-12-06 21:54:57 +01:00 · c1455ade73
commit c1455ade73
parent 31b62a09af
1 changed files with 7 additions and 0 deletions
--- a/book/source/04-certificates.md
+++ b/book/source/04-certificates.md
@ -641,6 +641,12 @@ The KOO keyserver was designed to:
 To achieve these goals, KOO does not serve identitiy components at all, unless an explicit opt-in has been performed, using a confirmation process vial email. Third-party certifications are also not served by default, but only under very specific circumstances, which preclude flooding.
 ```

+#### Hockeypuck-based keyservers
+
+Currently, third-party certification flooding can be worked around by users or administrators requesting the removal/re-adding of a certificate. [See here](https://github.com/hockeypuck/hockeypuck/wiki/HIP-1:-Regaining-control-over-public-key-identity-with-authenticated-key-management).
+
+Additional mechanisms [are upcoming](1pc3pc-support).
+
 ### First-Party attested third-party certifications in OpenPGP (1pa3pc)

 [First-Party attested third-party certifications in OpenPGP](https://datatracker.ietf.org/doc/draft-dkg-openpgp-1pa3pc/) are a "mechanism to allow the owner of a certificate to explicitly approve of specific third-party certifications". 1pa3pc was designed to enable flooding-proof distribution of third-part certifications.
@ -649,6 +655,7 @@ This mechanism uses the *attested certifications* signature subpacket (type ID `

 [^ac-draft]: Introducing the *attested certifications* signature subpacket (type ID `37`) was unfortunately not in scope of the chartered topics for the current "crypto-refresh" work of the OpenPGP working group. However, hopefully the working group can handle this feature in future rechartering.

+(1pc3pc-support)=
 #### Support

 - The *keys.openpgp.org* (KOO) keyserver [supports *1pa3pc*](https://gitlab.com/keys.openpgp.org/hagrid/-/commit/39c0e12ac64588220d36bada6497d8396f5915b3).