WKD: Subdomain openpgpkey

Bernhard Reiter bernhard at intevation.de
Wed Nov 17 15:49:01 CET 2021

when talking about this, Christoph and I thought about how to implement
a WKD request without using GnuPG (in places where it is not easily 

We found that the current WKD draft [1] in practical terms seems to demand an 
explicit DNS resolve attempt in many situations. The reason is that
some connection libraries would not allow to easily make a distinction
between a failed connection for network error from a name resolution error or 
for a different reason.

An example in
Python 3.7.3 (default, Jan 22 2021, 20:04:44) 
>>> import requests
>>> requests.__version__
>>> r= 
HTTPSConnectionPool(host='openpgpkey.intevation.de', port=443): Max retries 
exceeded with 
url: /.well-known/openpgpkey/intevation.de/hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe 
(Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection 
object at 0x7fcb0d9ec208>: Failed to establish a new connection: [Errno -2] 
Name or service not known'))

This has the information in the string, so we would need to match
 "Name or service not known" to make the distinction.
Which is possible but not nice.

And additional call would be better, like
  import socket
    socket.getaddrinfo("openpgpkey.intevation.de", "443")
  except socket.gaierror:
    # try direct method

In a browser console (chromium  95.0.4638.69) we have not yet found how to get
that information at all:

p = fetch(url)
Promise {<pending>}
VM398:1 GET 
 Uncaught (in promise) TypeError: Failed to fetch
    at <anonymous>:1:5

The console shows part of the into in the "net::ERR_FAILED" message, but this 
is not directly available from the variable p.
The documentation says
"A fetch() promise will reject with a TypeError when a network error is 
encountered or CORS is misconfigured on the server-side, although this 
usually means permission issues or similar "

Maybe this is the same in other libraries as well: the return of a TLS 
connection attempt may not be structured well enough that it can be (easily 
or at all) seen that it the DNS resolved okay, but something else (like TLS, 
CORS, network connection problems) has happened. A clear test would need a 
different (library) function call.

For browser extentions like Mailvelope there is no way to know in Chromium.
It could do a new dns.resolve() now, but see the nonexistent support in other

Even if the environement of the WKD request implementation offers a DNS
resolve function, in the case of a DNS not resolving because of a network 
error, we still cannot be sure that no DNS entry exists.

Would'nt it be easier then to say:
  * Try to resolve the advanced WKD request for the email address in
    question. And if the network connection fails, you SHOULD try the direct

We considered using the mentioned test 
     Clients may use this file to check for Web Key Directory support.
as a test for the advanced method, but this would be one additional request
each time the attempt to get one specific pubkey via advanced WKD fails
before the direct method could be tried. Or one connection attempt each time 
before trying the advanced method. But this would not be enough for the 
current criteria of selecting the direct method in the draft.
Wouldn't it be an improvement to be more symmetric here? E.g. like if a 
network request to the advanced method policy file fails, try the direct 
method policy file and if that network request fails, assume no support for 
WKD (for now.)

Best Regards,

[1]  https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/13/

 Implementations MUST first try the advance method. 
 Only if an address for the required sub-domain does not
 exist, they SHOULD fall back to the direct method.  A non-responding
 server does not mean that the fall back should be carried out.

www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20211117/792336f0/attachment.sig>

More information about the Gnupg-devel mailing list