The "advanced" URL of openpgp-webkey-service-07, and l=

Werner Koch wk at
Tue Feb 12 19:36:12 CET 2019


On Mon, 11 Feb 2019 14:04, vesely at said:

> I just saw version -07 today.  The advanced method:
> doesn't seem to make much sense to me.  I tried it with, and got:

The two parts were accidently swapped in the I-D.  It has been corrected
in the repo.  See

> The subdomain is probably a star (*) DNS record.  However, their

Right, they fixed it a few weeks ago, but they might have broken it
agains.  Actually only works at all because they have invalid
certificate for for a frew years now ( is
301-redirected to but needs to have a cert for

> I'm unable to get the "flexibility in setting up the Web Key Directory
> in environments where more than one mail domain is hosted".  Say I
> host A.example and B.example.  Then I need to set up both subdomains
> openpgpkey.A.example and openpgpkey.B.example.  Internally, they can

You redirect the host and
to, say, but keep the path to avoid CSRF.  Then you
can install gpg-wks-server on the host using its
default layout with a directory for each domain.  It is really
convenient, because it requires less configuration.

> What if they don't match?  To urlencode the local part might have been
> easier than Z-encoding its SHA1, but what's the point of doing both?

Percent-encoding does not allow to store it as plain text files becuase
'/' does not need to be percent encoded and the entire length of the
filename might get too long without using a hash.

The l= parameter has been added as an alternative way for looking up the
key for those platforms which already employ databases or such and don't
want to store extra data like a hash.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list