Mailing List Archive

Thanks for starting this discussion Christoph, because it allows me to
add something else that has bothered me.

In my presentations about WKD (https://cloud.fs.al/s/5TNQm4sJyYN8qi4)
I try to explain it by thinking how a client would locate the key
through WKD.
I say that the client first looks for the presence of the "policy"
file with the advanced method, and if not found, looks for the
presence of the "policy" file with the direct method.
This allows the client to find out (discover) which method is
available/supported. After that, it tries to download the key with the
method (advanced or direct) that was discovered in the first step.
These steps are repeated each time that the client needs to download a
key (maybe each time that it needs to use it), so there is no problem
if there is a temporary failure, next time that it will try to
retrieve the key it will work.

What bothers me is that the way that I describe it, it does not depend
on the existence of domains or subdomains, it only checks for the
presence of the "policy" file. And I am not sure if this is completely
correct.

On Fri, Nov 5, 2021 at 3:59 PM Christoph Klassen via Gnupg-devel
<gnupg-devel@gnupg.org> wrote:
>
> Hello,
>
> in the draft of Werner Koch about WKD there is this paragraph:
>
> There are two variants on how to form the request URI: The advanced
> and the direct method. Implementations MUST first try the advanced
> method. Only if the required sub-domain does not exist, they SHOULD
> fall back to the direct method. [1]
>
> I think it needs to be clarified what it means that the sub-domain doesn't exist. If a server doesn't offer this sub-domain, it doesn't exist .. check. But what, if it does offer this sub-domain and the server isn't available for some reason? Does that case count as "does not exist"?
>
> [1] https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/
>
>
> Greetings,
>
> Christoph
>
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On Fri, 5 Nov 2021 14:41, Christoph Klassen said:

> exist .. check. But what, if it does offer this sub-domain and the
> server isn't available for some reason? Does that case count as "does
> not exist"?

No. If you get an IP address to connect to, the server exists. I'll
add a note to the specs to clarify this.



Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

On 09.11.21 08:33, Werner Koch wrote:
> No. If you get an IP address to connect to, the server exists. I'll
> add a note to the specs to clarify this.

It could also be that the DNS name can be resolved, but no web server
exists or the server is offline.

There are these cases:

*A request for a pubkey gets a response with status 200.
*A request for a pubkey gets a response, but with a negative status like
404.
*A request isn't successful because of a NetworkError. In this case it's
not possible to say, if the DNS name couldn't be resolved or if there is
not web server.

A suggestion is that the direct method will be only used, if the third
case occures. Resolving DNS names would make it more difficult to
implement WKD (which was thought of as an easy solution to retrieve
pubkeys) and maybe it's not always possible. For example I'm not sure,
if extensions for internet browsers can do this.


Greetings,

Christoph




_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On Fri, 12 Nov 2021 14:35, Christoph Klassen said:

> pubkeys) and maybe it's not always possible. For example I'm not sure,
> if extensions for internet browsers can do this.

The whole mess we had to implement (instead of proper SRV records) is
due to browser vendors who don't understand why SRV records are useful
and refuse to implement support for them.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Werner,
when talking about this, Christoph and I thought about how to implement
a WKD request without using GnuPG (in places where it is not easily
available).

We found that the current WKD draft [1] in practical terms seems to demand an
explicit DNS resolve attempt in many situations. The reason is that
some connection libraries would not allow to easily make a distinction
between a failed connection for network error from a name resolution error or
for a different reason.

An example in
Python 3.7.3 (default, Jan 22 2021, 20:04:44)
>>> import requests
>>> requests.__version__
'2.21.0'
>>> r=
requests.get('https://openpgpkey.intevation.de/.well-known/openpgpkey/intevation.de/hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe')
[..]
requests.exceptions.ConnectionError:
HTTPSConnectionPool(host='openpgpkey.intevation.de', port=443): Max retries
exceeded with
url: /.well-known/openpgpkey/intevation.de/hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe
(Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection
object at 0x7fcb0d9ec208>: Failed to establish a new connection: [Errno -2]
Name or service not known'))

This has the information in the string, so we would need to match
"Name or service not known" to make the distinction.
Which is possible but not nice.

And additional call would be better, like
import socket
try:
socket.getaddrinfo("openpgpkey.intevation.de", "443")
except socket.gaierror:
# try direct method

In a browser console (chromium 95.0.4638.69) we have not yet found how to get
that information at all:

url='https://openpgpkey.intevation.de/.well-known/openpgpkey/intevation.de/hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe'
p = fetch(url)
Promise {<pending>}
VM398:1 GET
https://openpgpkey.intevation.de/.well-known/openpgpkey/intevation.de/hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe
net::ERR_FAILED
VM398:1
Uncaught (in promise) TypeError: Failed to fetch
at <anonymous>:1:5
console.log(p)

The console shows part of the into in the "net::ERR_FAILED" message, but this
is not directly available from the variable p.
The documentation says
https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#checking_that_the_fetch_was_successful
"A fetch() promise will reject with a TypeError when a network error is
encountered or CORS is misconfigured on the server-side, although this
usually means permission issues or similar "

Maybe this is the same in other libraries as well: the return of a TLS
connection attempt may not be structured well enough that it can be (easily
or at all) seen that it the DNS resolved okay, but something else (like TLS,
CORS, network connection problems) has happened. A clear test would need a
different (library) function call.

For browser extentions like Mailvelope there is no way to know in Chromium.
It could do a new dns.resolve() now, but see the nonexistent support in other
browsers:
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/dns

Even if the environement of the WKD request implementation offers a DNS
resolve function, in the case of a DNS not resolving because of a network
error, we still cannot be sure that no DNS entry exists.

Would'nt it be easier then to say:
* Try to resolve the advanced WKD request for the email address in
question. And if the network connection fails, you SHOULD try the direct
method.

We considered using the mentioned test
WELLKNOWN/policy
Clients may use this file to check for Web Key Directory support.
as a test for the advanced method, but this would be one additional request
each time the attempt to get one specific pubkey via advanced WKD fails
before the direct method could be tried. Or one connection attempt each time
before trying the advanced method. But this would not be enough for the
current criteria of selecting the direct method in the draft.
Wouldn't it be an improvement to be more symmetric here? E.g. like if a
network request to the advanced method policy file fails, try the direct
method policy file and if that network request fails, assume no support for
WKD (for now.)

Best Regards,
Bernhard


[1] https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/13/
reads

Implementations MUST first try the advance method.
Only if an address for the required sub-domain does not
exist, they SHOULD fall back to the direct method. A non-responding
server does not mean that the fall back should be carried out.

--
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

On Wed, 17 Nov 2021 15:49, Bernhard Reiter said:

> Would'nt it be easier then to say:
> * Try to resolve the advanced WKD request for the email address in
> question. And if the network connection fails, you SHOULD try the direct
> method.

I currently don't think so. The direct method should go away anyway.

It is just a relic from the time we started with this thing. Sure
there is an additional burden to have a certificate for the subdomain
but given the slow acceptance of the Web Key Directory I would not
consider the direct method a real help for anyone. Those who run their
own webserver and might use the direct method, will also be able to
setup a subdomain.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Am Donnerstag 18 November 2021 10:37:21 schrieb Werner Koch via Gnupg-devel:
> On Wed, 17 Nov 2021 15:49, Bernhard Reiter said:
> > Would'nt it be easier then to say:
> > * Try to resolve the advanced WKD request for the email address in
> > question. And if the network connection fails, you SHOULD try the
> > direct method.
>
> I currently don't think so. The direct method should go away anyway.
>
> It is just a relic from the time we started with this thing. Sure
> there is an additional burden to have a certificate for the subdomain
> but given the slow acceptance of the Web Key Directory I would not
> consider the direct method a real help for anyone. Those who run their
> own webserver and might use the direct method, will also be able to
> setup a subdomain.

As we want to further usage, I'd say we should keep supporting
the direct method for quite a while, because it means more communication
partners and we reward early adopters (as they do not need to do any change.)
And there are implementation out there, facing them to change often without
major reason is a drawback for adoption.

So if we would recommand moving fully to the advanced method at some time
in the future. It would make even more sense to me to make it easier and be
pragmatic about when to fall back to the direct method for the time being.

There is one more feedback from Thomas about the empty DNS record:
He guesses that some people who manage DNS via a webbased interface
of their DNS provider may not be able to set an empty TXT record.
(Okay, this whole decision problem would go away if only the advanced method
is used in the future.)

One advantage I see in the direct method is that it leans toward recommending
do to this decentrally for each server and not using a central WKD service
or a number of sites.

Best Regards,
Bernhard

--
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

On 2021-11-17 at 15:49 +0100, Bernhard Reiter wrote:
> Even if the environement of the WKD request implementation offers a DNS
> resolve function, in the case of a DNS not resolving because of a network
> error, we still cannot be sure that no DNS entry exists.
>
> Wouldn't it be easier then to say:
> * Try to resolve the advanced WKD request for the email address in
> question. And if the network connection fails, you SHOULD try the direct
> method.


> We considered using the mentioned test
> WELLKNOWN/policy
> Clients may use this file to check for Web Key Directory support.
> as a test for the advanced method, but this would be one additional request
> each time the attempt to get one specific pubkey via advanced WKD fails
> before the direct method could be tried. Or one connection attempt each time
> before trying the advanced method.

You could cache for X time that domain Y has no advanced WKD support.

> But this would not be enough for the
> current criteria of selecting the direct method in the draft.
> Wouldn't it be an improvement to be more symmetric here? E.g. like if a
> network request to the advanced method policy file fails, try the direct
> method policy file and if that network request fails, assume no support for
> WKD (for now.)

+1. Sorry, Werner, but I think it should check if there is a WKD
repository there, not just a DNS entry. Of course, no DNS entry allows
you to skip it directly, but for detection, checking if there is an
actual WKD there (by existence of the keys and/or the policy file)
would simplify both the keys as well as the administration, by
simplifying the need to insert additional rr to remove disable wildcard
DNS.

I don't see a huge gain on forcing the fetch to fail for a non-
responsive *potential* advanced server, rather than falling back.
There's a potential leak of the request to those running the apex
server, but you can avoid that if you first check that there is a
policy file in the DIRECT method.
You might choose a different policy if you have reason to think that
there is an advanced server (e.g. you contacted it before) but just the
DNS entry is fragile by itself

Regards




_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel