Improve the "find some user's certificate" workflow
Here's the setting: a user wants to find the certificate for someone so they run:
$ sq pki list someone@example.org
No paths found.
That error message is a bit of a dead end. There are two things that the user could do:
-
Look for certificates with the specified email address in public directories (key servers, WKD, etc.).
For this, the user would use
sq network fetch someone@example.org
.We don't want to do this automatically as (1) it this takes time, (2) it potentially exposes private details, which the user should explicitly opt in to.
-
Mark some unauthenticated binding as authenticated.
To do this, the user would use
sq pki link add
. The problem is that they have to identify the correct binding. For that,sq pki link --gossip someone@example.org
may be helpful: it also shows unauthenticated bindings. Of course, the user should still be prompted to actually authenticate the returned bindings (e.g., compare the fingerprint with one printed on a business card, call the person, etc.).
Here's what I'm thinking. If there are unauthenticated bindings we show:
$ sq pki list someone@example.org
1 bindings match the query, but none of them could be authenticated. Pass `--gossip` to see the unauthenticated bindings.
Error: Could not authenticate any matching bindings.
If there are no matching bindings, we show:
$ sq pki list someone@example.org
No bindings match the query. Consider running `sq network fetch someone@example.org` to look up matching certificates on public directories.
Error: No matching bindings.
The sq network fetch
hint could also be shown in the first case to prompt the user to look for additional certificates, but I worry that that might be overwhelming.
What do others (e.g., @teythoon, @fschmidtke, @malte_meiboom) think?