consider local key exchange mechanisms (geysigning, safeslinger)
The geysigning project, which reuses (and improves on!) parts of the Monkeysign code, introduces a novel idea of not depending on the keyservers to fetch the public key material before signing. To quote their README file:
In contrast to caff or monkeysign, this tool enables you to sign a key without contacting a key server. It downloads an authenticated copy of the key from the other party. For now, the key is authenticated by its fingerprint which is securely transferred via a QR code. Alternatively, the user may type the fingerprint manually, assuming that it has been transferred securely via the audible channel.
I haven't figured out exactly how the key material is copied - it is presumably done through some Avahi protocol?
OpenKeychain has its own way of doing those transfers, which are implemented as a multi-party "keysigning party" protocol of some sort. It uses an app called SafeSligner for which there is a Python library we could reuse as well.
List of possible implementations:
- [geysigning][geysigning project] - homegrown avahi + httpserver
- [SafeSlinger] - custom protocol?
- FlyWeb - standardized web-based avahi + httpserver?