Questions about Web Key Directory I-D version 06

Wiktor Kwapisiewicz wiktor at
Thu May 31 18:11:17 CEST 2018

> please also note that there is an open discussion point with WKD draft 06:

> As noted on 
> I currently recommend to implement serving WKD without DNS SRV record for 
compatibility with webclients like Mailvelope and Enigmail for now.

It's interesting that you bring this now as I've just recently implemented WKD
in openpgpjs [0] and yes, I didn't do DNS SRV (for obvious reasons - they are
not supported browsers).

There is one issue though, browsers and extensions still need appropriate CORS
settings to work: Access-Control-Allow-Origin header must be set to '*' on both
200 and 404 responses. (see [0] for details). I believe extensions would also
need these headers [1] although I didn't check.



As for the DNS SRV I understand the motivation of added flexibility but from
what I've seen from other .well-known URLs HTTP load balancing and the ability
to redirect requests already give sufficient flexibility. DNS SRV lookup
complicates the otherwise very simple and clean protocol.

My two changes implementing WKD lookup (for openpgpjs and OpenKeychain) do only
"simple" basic flow, no DNS SRV.

Kind regards,


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-devel mailing list