Mailing List Archive

WKD & redirects: draft-koch-openpgp-webkey-service vs GnuPG
gpg 2.3.8...

Over at Gentoo we got this bug filed about the WKD setup:
https://bugs.gentoo.org/877791

$ gpg -v --auto-key-locate wkd --locate-external-keys infrastructure@gentoo.org
gpg: WARNING: unacceptable HTTP redirect from server was cleaned up
gpg: (further info: changed from 'https://gentoo.org/.well-known/openpgpkey/hu/gzhmqtt9d5d1y1bw4ufs47npj5wn8pyx?l=infrastructure' to 'https://www.gentoo.org/.well-known/openpgpkey/hu/gzhmqtt9d5d1y1bw4ufs47npj5wn8pyx?l=infrastructure')

We have a tiny anycast service at the Apex https://gentoo.org/ that redirects *everything* to www.gentoo.org; no exceptions possible.

The draft RFC, at least as of version 14, doesn't say either way if redirects
are permitted or forbidden.

If they are indeed forbidden, can the RFC get updated to say as much?

Otherwise, if Redirects aren't forbidden, I feel the warning should be removed
for this case (and a note about how they are accepted should be added to the
RFC).

--
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136
Re: WKD & redirects: draft-koch-openpgp-webkey-service vs GnuPG [ In reply to ]
Hi Robin,

Am Samstag 22 Oktober 2022 00:58:51 schrieb Robin H. Johnson via Gnupg-devel:
> Over at Gentoo we got this bug filed about the WKD setup:
> https://bugs.gentoo.org/877791

Using the advanced WKD detection method with
openpgpkey.gentoo.org
seems to be the way to go for from my view.
As the advanced method is tried first, so this should just work.
And Werner stated a preferrance for it in one email.

> The draft RFC, at least as of version 14, doesn't say either way if
> redirects are permitted or forbidden.

https://datatracker.ietf.org/doc/html/draft-koch-openpgp-webkey-service-14#section-3.1
The HTTP GET method MUST return the binary representation of the
OpenPGP key for the given mail address.

this can be read as hint towards that no redirect is allowed (as GET would
then return the redirection target URL). It is not very explicit, though.

Thanks for your hint, I believe Werner will consider it, when updating the WKD
specification the next time.

Best Regards,
Bernhard

--
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter
Re: WKD & redirects: draft-koch-openpgp-webkey-service vs GnuPG [ In reply to ]
On Fri, 21 Oct 2022 22:58, Robin H. Johnson said:
> gpg 2.3.8...
>
> Over at Gentoo we got this bug filed about the WKD setup:
> https://bugs.gentoo.org/877791
>
> $ gpg -v --auto-key-locate wkd --locate-external-keys infrastructure@gentoo.org
> gpg: WARNING: unacceptable HTTP redirect from server was cleaned up
> gpg: (further info: changed from
> 'https://gentoo.org/.well-known/openpgpkey/hu/gzhmqtt9d5d1y1bw4ufs47npj5wn8pyx?l=infrastructure'
> to
> 'https://www.gentoo.org/.well-known/openpgpkey/hu/gzhmqtt9d5d1y1bw4ufs47npj5wn8pyx?l=infrastructure')
>
> We have a tiny anycast service at the Apex https://gentoo.org/ that
> redirects *everything* to www.gentoo.org; no exceptions possible.

Which is quite common. Does this

--8<---------------cut here---------------start------------->8---
diff --git a/dirmngr/http.c b/dirmngr/http.c
index 20f71f61b..f11e7765b 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -3619,6 +3619,7 @@ same_host_p (parsed_uri_t a, parsed_uri_t b)
};
static const char *subdomains[] =
{
+ "www.",
"openpgpkey."
};
int i;
--8<---------------cut here---------------end--------------->8---

untested patch help to silence the warning?

> Otherwise, if Redirects aren't forbidden, I feel the warning should be removed
> for this case (and a note about how they are accepted should be added to the

Yep. However, I don't think this si something which needs
specification. Implementaions are free to handle this on their own.


Shalom-Salam,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein