The "advanced" URL of openpgp-webkey-service-07, and l=
Werner Koch
wk at gnupg.org
Tue Feb 12 19:36:12 CET 2019
Hi!
On Mon, 11 Feb 2019 14:04, vesely at tana.it said:
> I just saw version -07 today. The advanced method:
>
> WELLKNOWN := https://openpgpkey.example.org/.well-known/example.org/openpgpkey
>
> doesn't seem to make much sense to me. I tried it with posteo.de, and got:
The two parts were accidently swapped in the I-D. It has been corrected
in the repo. See
https://dev.gnupg.org/rD733acdda1a440ca38df4aa22711459af7c25cd2d
> The subdomain is probably a star (*) DNS record. However, their
Right, they fixed it a few weeks ago, but they might have broken it
agains. Actually only posteo.de works at all because they have invalid
certificate for posteo.net for a frew years now (posteo.net is
301-redirected to posteo.de but posteo.net needs to have a cert for
posteo.net).
> I'm unable to get the "flexibility in setting up the Web Key Directory
> in environments where more than one mail domain is hosted". Say I
> host A.example and B.example. Then I need to set up both subdomains
> openpgpkey.A.example and openpgpkey.B.example. Internally, they can
You redirect the host openpgpkey.example.com and openpgpkey.example.org
to, say, webkeys.example.com but keep the path to avoid CSRF. Then you
can install gpg-wks-server on the webkeys.example.com host using its
default layout with a directory for each domain. It is really
convenient, because it requires less configuration.
> What if they don't match? To urlencode the local part might have been
> easier than Z-encoding its SHA1, but what's the point of doing both?
Percent-encoding does not allow to store it as plain text files becuase
'/' does not need to be percent encoded and the entire length of the
filename might get too long without using a hash.
The l= parameter has been added as an alternative way for looking up the
key for those platforms which already employ databases or such and don't
want to store extra data like a hash.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190212/72cf7eb8/attachment.sig>
More information about the Gnupg-users
mailing list