From c1455ade731ffdbc294329228fa2ab93e60412e9 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Wed, 6 Dec 2023 21:54:57 +0100 Subject: [PATCH] hockeypuck note --- book/source/04-certificates.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 710342f..d7b3c03 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -641,6 +641,12 @@ The KOO keyserver was designed to: To achieve these goals, KOO does not serve identitiy components at all, unless an explicit opt-in has been performed, using a confirmation process vial email. Third-party certifications are also not served by default, but only under very specific circumstances, which preclude flooding. ``` +#### Hockeypuck-based keyservers + +Currently, third-party certification flooding can be worked around by users or administrators requesting the removal/re-adding of a certificate. [See here](https://github.com/hockeypuck/hockeypuck/wiki/HIP-1:-Regaining-control-over-public-key-identity-with-authenticated-key-management). + +Additional mechanisms [are upcoming](1pc3pc-support). + ### First-Party attested third-party certifications in OpenPGP (1pa3pc) [First-Party attested third-party certifications in OpenPGP](https://datatracker.ietf.org/doc/draft-dkg-openpgp-1pa3pc/) are a "mechanism to allow the owner of a certificate to explicitly approve of specific third-party certifications". 1pa3pc was designed to enable flooding-proof distribution of third-part certifications. @@ -649,6 +655,7 @@ This mechanism uses the *attested certifications* signature subpacket (type ID ` [^ac-draft]: Introducing the *attested certifications* signature subpacket (type ID `37`) was unfortunately not in scope of the chartered topics for the current "crypto-refresh" work of the OpenPGP working group. However, hopefully the working group can handle this feature in future rechartering. +(1pc3pc-support)= #### Support - The *keys.openpgp.org* (KOO) keyserver [supports *1pa3pc*](https://gitlab.com/keys.openpgp.org/hagrid/-/commit/39c0e12ac64588220d36bada6497d8396f5915b3).