Hosting a Web Key Directory
Andre Heinecke
aheinecke at intevation.de
Thu Oct 27 17:33:45 CEST 2016
Hi!
I just published how to host your own Web Key Directory on the gnupg blog.
Find below a plain text version of my blog entry
https://gnupg.org/blog/20161027-hosting-a-web-key-directory.html
Andre
1 Hosting a Web Key Directory
═════════════════════════════
With the improvements in GnuPG for Key Discovery (see: [Key Discovery
Made Simple]) you may want to provide the OpenPGP keys for your
domain. The Web Key Service (WKS) describes a protocol for Mail
Service Providers or large organisations to maintain a Web Key
Directory (WKD) for their users.
A Web Key Directory is a static collection of keys provided under well
known URLs under your domain. This directory can also be manually
generated without using the Web Key Service protocol.
By providing a Web Key Directory other people (or their Mail Software)
can obtain the OpenPGP keys for your domain with a simple query like:
┌────
│ $ gpg --auto-key-locate wkd --locate-keys <mail address>
└────
In this note, I explain how to do that.
Note: An updated version of this article may be available in the
[GnuPG Wiki]
[Key Discovery Made Simple]
https://www.gnupg.org/blog/20160830-web-key-service.html
[GnuPG Wiki]
https://wiki.gnupg.org/WKD#Hosting%20a%20Web%20Key%20Directory
1.1 Requirements
────────────────
• A web server that provides https with a trusted certificate for your
domain.
• A client machine with Python and PyME installed (debian package
python-pyme)
• The script: [generate-openpgpkey-hu] (in the [Mercurial repository
"wkd-tools"])
[generate-openpgpkey-hu]
https://hg.intevation.de/gnupg/wkd-tools/raw-file/default/generate-openpgpkey-hu
[Mercurial repository "wkd-tools"]
https://hg.intevation.de/gnupg/wkd-tools/
1.2 Setup
─────────
You can either export all the keys in your keyring that belong to a
domain or provide an explicit keyring containing just those keys that
you want to publish.
The call:
┌────
│ $ ./generate-openpgpkey-hu example.com hu
└────
Will create a directory called hu containing all the keys with user
ids that include @example.com.
If there are multiple valid keys for a user in your keyring this
command will error out. In that case you can prepare a keyring with
only the keys that you want to publish. For example:
┌────
│ $ gpg --export 94A5C9A03C2FE5CA3B095D8E1FDF723CF462B6B1 | \
│ > gpg --no-default-keyring --keyring ./wkd-keyring.gpg --import
└────
And then provide that keyring to generate-openpgpkey-hu:
┌────
│ ./generate-openpgpkey-hu example.com hu wkd-keyring.gpg
└────
1.3 Publishing
──────────────
The hu directory has to be published on your server as
┌────
│ https://example.com/.well-known/openpgpkey/hu/
└────
Create the directory structure and set the permissions accordingly.
This example [Makefile] automates the hu directory generation and
publishing. Edit the variables at the top of the makefile to set
`RSYNC_TARGET' The `KEYRING' variable is optional and can be left
empty.
That's it. You can now test your setup by calling:
┌────
│ $ gpg --auto-key-locate wkd --locate-keys <mail address>
└────
you should see something like this:
┌────
│ gpg: key AC12F94881D28CB7: public key "testuser10 at test.gnupg.org" imported
│ gpg: Total number processed: 1
│ gpg: imported: 1
│ gpg: automatically retrieved 'testuser10 at test.gnupg.org' via WKD
│ pub ed25519 2016-07-15 [SC]
│ 5506894357DC548CC65B0BCFAC12F94881D28CB7
│ uid [ unknown] testuser10 at test.gnupg.org
│ sub cv25519 2016-07-15 [E]
└────
[Makefile]
https://hg.intevation.de/gnupg/wkd-tools/raw-file/default/Makefile.example
--
Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20161027/30cfd0c8/attachment-0001.sig>
More information about the Gnupg-users
mailing list