add Gpg web of trust parser

author: Joey Hess <joeyh@joeyh.name> 2017-04-29 12:23:29 -0400
committer: Joey Hess <joeyh@joeyh.name> 2017-04-29 13:07:48 -0400
commit: 237b94f6c687675215f78fba28d7e003a2b9ab7d (patch)
tree: e4c2c6144e1d5563218b8686cee508146a1370c8 /TODO
parent: 46245781f26d49037102a4c74001f47a345fa567 (diff)
download: debug-me-237b94f6c687675215f78fba28d7e003a2b9ab7d.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/TODO b/TODO
index 01ce2e3..6634f5c 100644
--- a/TODO
+++ b/TODO
@@ -1,3 +1,9 @@
+* GPG WoT is checked by querying pgp.cs.uu.nl, could use wotsap if it's
+  locally installed. However, the version of wotsap in debian only supports
+  short, insecure keyids, so is less secure than using the server.
+* Once we have a WoT path, we could download each gpg key in the path and
+  verify the path. This would avoid trusting pgp.cs.uu.nl not to be evil.
+  Not done yet, partly because downloading a lot of gpg keys is expensive.
 * Multiple --downloads at the same time or close together fail
   with "thread blocked indefinitely in an STM transaction"
   Also see it occasionally with --debug.
author	Joey Hess <joeyh@joeyh.name>	2017-04-29 12:23:29 -0400
committer	Joey Hess <joeyh@joeyh.name>	2017-04-29 13:07:48 -0400
commit	237b94f6c687675215f78fba28d7e003a2b9ab7d (patch)
tree	e4c2c6144e1d5563218b8686cee508146a1370c8 /TODO
parent	46245781f26d49037102a4c74001f47a345fa567 (diff)
download	debug-me-237b94f6c687675215f78fba28d7e003a2b9ab7d.tar.gz