OpenPGP Web Key Directory

Dashamir Hoxha dashohoxha at gmail.com
Tue May 4 19:48:45 CEST 2021 

Bernhard, thanks for your quick review and suggestions.

On Tue, May 4, 2021 at 4:20 PM Bernhard Reiter <bernhard at intevation.de> wrote:

> Thanks for working on WKD and WKS in the first place!
> It is helpful to get the word out on this.

I think so too. WKD is an important piece of the GnuPG ecosystem, and
not so difficult either. I have registered a presentation of up to 15
min about it on OW2con'21: https://www.ow2con.org/view/2021/ (it will
be online). I intend to present the first 3 sections of this article,
without going into much details about WKS, docker containers, postfix,
etc.

> Some suggestions:
> * Give details about the version numbers and systems
>   that you give commands for. (Maybe Debian as you use
>   apt-get.)

Actually it is the latest ubuntu stable release (Ubuntu-20.04, or
focal). But I think that everything should work exactly the same on
the latest debian stable release (buster).

> * Personally I found it too long, maybe the container part
>   could at least be split out.

Yes, it is a bit long. And it is mostly structured as a step-by-step
tutorial, with instructions to be followed and commands to be tried.
Which makes it a bit difficult to just read through it.
However the container part (building a WKS server with docker) is my
main contribution to this topic, so I can't leave it out. And the
first three sections are a quick introduction to WKD.

> * There is some duplication to what is in the wiki.gnupg.org
>   other places in the documentation and your article. (You can
>   add stuff to the wiki, too. :))

Wiki maintainers can feel free to copy any parts if they wish. I don't
think there is anything wrong with duplication.

> * There are a few recommendations for the server in the specificaton
>   like RR record if the advanced method is used or the disabling
>   of directory listings. Maybe your examples could mention them.

Maybe I should mention disabling of directory listing, although one of
the examples (in the container part) includes the apache2 directive
"Options -Indexes", which does it.
In general, if the WKD contains only your own key, maybe it is not
strictly necessary. However for a large organization it is.

About the RR record, I have noticed it in the specs, but I am not sure
how this record should look like.
Besides, if the WKD clients only checks for the presence of the
'policy' file to find out whether the advanced method is available,
maybe it doesn't make any difference.

> * It is still okay to use the public keyservers.

I only mention quickly that they are not recommended, without going
into much details about their problems. And I say that WKD is the
recommended way for public key sharing, again without going into much
details.

Best regards,
Dashamir

More information about the Gnupg-devel mailing list