WKD: Subdomain openpgpkey

Dashamir Hoxha dashohoxha at gmail.com
Sun Nov 7 05:29:32 CET 2021


Thanks for starting this discussion Christoph, because it allows me to
add something else that has bothered me.

In my presentations about WKD (https://cloud.fs.al/s/5TNQm4sJyYN8qi4)
I try to explain it by thinking how a client would locate the key
through WKD.
I say that the client first looks for the presence of the "policy"
file with the advanced method, and if not found, looks for the
presence of the "policy" file with the direct method.
This allows the client to find out (discover) which method is
available/supported. After that, it tries to download the key with the
method (advanced or direct) that was discovered in the first step.
These steps are repeated each time that the client needs to download a
key (maybe each time that it needs to use it), so there is no problem
if there is a temporary failure, next time that it will try to
retrieve the key it will work.

What bothers me is that the way that I describe it, it does not depend
on the existence of domains or subdomains, it only checks for the
presence of the "policy" file. And I am not sure if this is completely
correct.

On Fri, Nov 5, 2021 at 3:59 PM Christoph Klassen via Gnupg-devel
<gnupg-devel at gnupg.org> wrote:
>
> Hello,
>
> in the draft of Werner Koch about WKD there is this paragraph:
>
> There are two variants on how to form the request URI: The advanced
> and the direct method.  Implementations MUST first try the advanced
> method.  Only if the required sub-domain does not exist, they SHOULD
> fall back to the direct method. [1]
>
> I think it needs to be clarified what it means that the sub-domain doesn't exist. If a server doesn't offer this sub-domain, it doesn't exist .. check. But what, if it does offer this sub-domain and the server isn't available for some reason? Does that case count as "does not exist"?
>
> [1] https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/
>
>
> Greetings,
>
> Christoph
>
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel



More information about the Gnupg-devel mailing list