Submit the [email protected] PGP key to keys.openpgp.org, consider WKD?

[Mikaela]

I happened to notice that the README lists an PGP key to be used for security issues and it's on keys.pgp.mit.edu.

• https://github.com/ipfs/go-ipfs/blob/master/README.md#security-issues

I think you might want to upload it also at https://keys.openpgp.org/upload and confirm that you wish to list the key as it's nowadays the default keyserver mostly everywhere and currently when someone attempts to get the key from there, gpg will reject it at least on Debian:

└┌(%:~)┌- LANG=en && !!
LANG=en && gpg --recv-keys "4B9665FB92636D177C7A86D350AAE8A959B13AF3"
gpg: key 0x50AAE8A959B13AF3: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

I think the linked pgp.mit.edu may also be vulnerable to signature flooding attacks possibly preventing users needing to report security issues using it. Have you thought about enabling WKD on ipfs.io or even hosting the public key on IPFS and linking there from the README.md?

• https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html
• https://wiki.gnupg.org/WKD
• https://wiki.gnupg.org/WKDHosting
• https://keys.openpgp.org/about/usage#wkd-as-a-service - keys.openpgp.org offers wkd hosting if you add an cname record, but assuming you have control over the web server it's easy to do by oneself.

Sorry if this is a wrong place to report this, https://github.com/ipfs/ipfs#security-issues-and-disclosures doesn't link to the PGP key at all and the last paragraph there seems to apply here (if someone had a grievance against IPFS and did signature flooding attacks, I think that would already have happened a long time ago) and the forum didn't seem the right place to me. I guess WKD should be an separate issue, but it came as an afterthought to me while I think it's hoped to replace keyservers.

Edit: I forgot to say that I don't have an actual IPFS security issue to report, I was just browsing through repositories trying to find #957 (I think, I didn't read it yet) and just stumbled upon this potential problem. I think I should also add that WKD capable email clients should automatically attempt to download and use a key from WKD as an additional reason why I think it should be implemented.

[Mikaela]

And looking into this closer, I notice that the key has been expired for an year and half, so maybe it has just been forgotten to README.md or expire time extensions weren't pushed to pgp.mit.edu ?

pub   rsa4096/0x50AAE8A959B13AF3 2016-07-23 [SC] [expired: 2018-07-23]
      Key fingerprint = 4B96 65FB 9263 6D17 7C7A  86D3 50AA E8A9 59B1 3AF3
uid                   [ expired] IPFS Security Team <[email protected]>
                      [email protected]

[Mikaela]

I guess this is resolved by ipfs/community#458.