WKD lookup (Re: Web Key Service server lookup)

Bernhard Reiter bernhard at intevation.de
Wed Nov 2 10:45:07 CET 2016


Am Dienstag 01 November 2016 18:15:49 schrieb Jürgen Schäpker:
> >to alter the requests from
> >https://example.org/.well-known/openpgpkey/hu/XXXX
> >to
> >https://example.org/.well-known/openpgpkey/example.org/hu/XXXX
>
> That seems to be a reasonable workaround.

As pointed out by Peter: I think it can be solved by setup without a 
workaround.

The 00 version of the draft had the "domain" part in the url,
however Werner decided to remove this, the mains reason being url
encoding and trouble with international domain names.

> I'm still not sure though why the hash shouldn't be designed by default as
> a unique ID, using the complete email address. Doing that removes the need
> for the server to know which domains it provides the lookup for.

We had some discussion on this on the list (which you may look up if you are 
interested in how the design came to be.)

I'd say that the server must know which email domains it will serve pubkeys 
for anyway. And it must be encoded in the request url anyway, because this is
the only little trust anchor via checking the TLS cert. The 02 draft design 
meet the minimalist requirement for good design in this regard.

Best Regards,
Bernhard
-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20161102/3e14202f/attachment.sig>


More information about the Gnupg-devel mailing list