diff --git a/dist/templates/about/faq.html.hbs b/dist/templates/about/faq.html.hbs index 477e12b..d28196b 100644 --- a/dist/templates/about/faq.html.hbs +++ b/dist/templates/about/faq.html.hbs @@ -26,6 +26,49 @@ keys.openpgp.org.

+

+ Do you distribute "third party signatures"?

+ +

+ Short answer: No. +

+ +

+ A "third party signature" is a signature on a key + that was made by some other key. + Most commonly, + those are the signatures produced when "signing someone's key", + which are the basis for + the "Web of Trust". + For a number of reasons, + those signatures are not currently distributed + via keys.openpgp.org. +

+ +

+ The killer reason is spam. + Third party signatures allow attaching arbitrary data to anyone's key, + and nothing stops a malicious user from + attaching so many megabytes of bloat to a key + that it becomes practically unusable. + Even worse, + they could attach offensive or illegal content. +

+ +

+ There are ideas to resolve this issue. + For example, signatures could be distributed with the signer, + rather than the signee. + Alternatively, we could require + cross-signing by the signee before distribution + to support a + caff-style + workflow. + If there is enough interest, + we are open to working with other OpenPGP projects + on a solution. +

+

Why are revoked identities not distributed as such?