Mailing List Archive

Daniel Kahn Gillmor via Gnupg-users <gnupg-users@gnupg.org> wrote:
> On Mon 2021-01-11 22:59:10 +0100, Ángel wrote:
> > The "make a CNAME of your openpgpkeys subdomain to
> > wkd.keys.openpgp.org" couldn't work with https certificate validation,
> > thouth (or are they requesting a certificate on-the-fly?)
>
> In fact, i believe that keys.openpgp.org *is* requesting and retaining a
> certificate on-the-fly if it finds itself addressed by such a CNAME.

Yep. If that wasn't possible, we wouldn't do it.

btw, if anyone is interested: keys.o.o serves wkd for 224 domains right now.

- V

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hello Group!

Am 16.01.21 um 03:26 schrieb Vincent Breitmoser via Gnupg-users:
>
> Daniel Kahn Gillmor via Gnupg-users <gnupg-users@gnupg.org> wrote:
>> On Mon 2021-01-11 22:59:10 +0100, Ángel wrote:
>>> The "make a CNAME of your openpgpkeys subdomain to
>>> wkd.keys.openpgp.org" couldn't work with https certificate validation,
>>> thouth (or are they requesting a certificate on-the-fly?)
>>
>> In fact, i believe that keys.openpgp.org *is* requesting and retaining a
>> certificate on-the-fly if it finds itself addressed by such a CNAME.
>
> Yep. If that wasn't possible, we wouldn't do it.
>
> btw, if anyone is interested: keys.o.o serves wkd for 224 domains right now.
>
> - V

Now I'm a bit confused :O
I thought WKD can be used with your own webserver. So why do I have to
make a CNAME recort pointing to "wkd.keys.openpgp.org"?

Or did I understand anything wrong?

BTW ... do any of you know a tutorial to set up WKD for 'Dummies'?

best regards
Juergen


--
/¯\ No |
\ / HTML | Juergen Bruckner
X in | juergen@bruckner.email
/ \ Mail |

On Sat, Jan 16, 2021 at 10:32 AM Juergen Bruckner via Gnupg-users
<gnupg-users@gnupg.org> wrote:
>
> Hello Group!

> BTW ... do any of you know a tutorial to set up WKD for 'Dummies'?

Hi Juergen,

me as a Windows DAU (Dümmster Anzunehmnder User) used the direct-method:

Create in your web server's root directory the following:

a folder named 'openpgpkey' put in that folder another folder named: 'hu'.

in the openpgpkey folder put a policy file, named 'policy' it can be empty.

in the hu folder put the binary blob of your pub key(s)

to create the proper pub key do the following:

gpg --list-keys --with-wkd-hash

it will show you your pub keys data with an additional hash

in order to export your pub key do the following:

gpg --export your_pubkey >hash_as_filename

put that binary blob of your pub key in your hu folder so that the
filename shows the hash,
without the @email part.

then use Wiktor's WKD checker to check your result.

If everything went well you can try to fetch your pub key with

gpg --locate-keys juergen@email.address

Hope this helps and please report back your results.

Best regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Sat, Jan 16, 2021 at 12:52 PM Stefan Claas
<spam.trap.mailing.lists@gmail.com> wrote:
>
> On Sat, Jan 16, 2021 at 10:32 AM Juergen Bruckner via Gnupg-users
> <gnupg-users@gnupg.org> wrote:
> >
> > Hello Group!
>
> > BTW ... do any of you know a tutorial to set up WKD for 'Dummies'?
>
> Hi Juergen,
>
> me as a Windows DAU (Dümmster Anzunehmnder User) used the direct-method:

[EDIT]

> Create in your web server's root directory the following:
> a directory '.well-known' and in that
> a folder named 'openpgpkey' put in that folder another folder named: 'hu'.

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Sat, Jan 16, 2021 at 12:55 PM Stefan Claas
<spam.trap.mailing.lists@gmail.com> wrote:
>
> On Sat, Jan 16, 2021 at 12:52 PM Stefan Claas
> <spam.trap.mailing.lists@gmail.com> wrote:
> >
> > On Sat, Jan 16, 2021 at 10:32 AM Juergen Bruckner via Gnupg-users
> > <gnupg-users@gnupg.org> wrote:
> > >
> > > Hello Group!
> >
> > > BTW ... do any of you know a tutorial to set up WKD for 'Dummies'?
> >
> > Hi Juergen,
> >
> > me as a Windows DAU (Dümmster Anzunehmnder User) used the direct-method:
>
> [EDIT]
>
> > Create in your web server's root directory the following:
> > a directory '.well-known' and in that
> > a folder named 'openpgpkey' put in that folder another folder named: 'hu'.

[EDITT #2] With root directory I mean where you have stored your html content
which shows up when someone is visiting your site.

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> Now I'm a bit confused :O
> I thought WKD can be used with your own webserver. So why do I have to
> make a CNAME recort pointing to "wkd.keys.openpgp.org"?
>
> Or did I understand anything wrong?

Sorry, that was confusing without context. Yes, WKD is bound to the domain of
the email address, and as such it will typically be hosted together with the
email server itself, or at least by the same entity.

Using the advanced WKD method, it's possible to "outsource" hosting using
a CNAME, and keys.o.o will do the rest:

https://keys.openpgp.org/about/usage#wkd-as-a-service

But this is only a shortcut for convenience. WKD works best when it is run
decentralized by the email hosters themselves.

- V

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users