WKD for GitHub pages

Stefan Claas spam.trap.mailing.lists at gmail.com
Sat Jan 9 14:37:34 CET 2021

On Sat, Jan 9, 2021 at 11:37 AM Neal H. Walfield <neal at walfield.org> wrote:

> It appears that gpg is trying the advanced lookup method, gets an
> error, and then doesn't fallback to the direct lookup method.  This is
> consistent with the I-D:
>    3.1.  Key Discovery
>    ...
>    There are two variants on how to form the request URI: The advanced
>    and the direct method.  Implementations MUST first try the advanced
>    method.  Only if the required sub-domain does not exist, they SHOULD
>    fall back to the direct method.
>    https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-07
> It appears that github.com's DNS is configured such that all domains
> under github.com resolve to github.com's web server, even
> subsubdomains.  For instance,
> https://asdflkjasdfj.asdflkjasdflkj.github.com/ resolves to a 404.
> So, it seems that you'll need to create openpgpkey.sac001.github.com.
> Further, you'll have to figure out how to get a valid certificate for
> it.  At least Firefox considers github.com's certificate to be valid
> for foo.github.com, but not bar.foo.github.com.

Hi Neal,

thanks for the reply, much appreciated! Simply said, for the average
user like me, I believe GitHub is doing it right, because it is a
valid option according to their SSL cert data, and Werner simply
overlooked this option. I will not experiment any further, because I
set-up WKD properly, which works with sequoia-pgp, for example. I have
not checked other OpenPGP software.

And I strongly believe that Werner can fix this issue, if he is
willing to do so.

Best regards

More information about the Gnupg-users mailing list