WKD for GitHub pages

Ingo Klöcker kloecker at kde.org
Sat Jan 9 19:23:24 CET 2021

On Samstag, 9. Januar 2021 15:43:14 CET Stefan Claas via Gnupg-users wrote:
> On Sat, Jan 9, 2021 at 2:37 PM Stefan Claas
> <spam.trap.mailing.lists at gmail.com> wrote:
> > Hi Neal,
> > 
> > thanks for the reply, much appreciated! Simply said, for the average
> > user like me, I believe GitHub is doing it right, because it is a
> > valid option according to their SSL cert data, and Werner simply
> > overlooked this option. I will not experiment any further, because I
> > set-up WKD properly, which works with sequoia-pgp, for example. I have
> > not checked other OpenPGP software.
> > 
> > And I strongly believe that Werner can fix this issue, if he is
> > willing to do so.
> Example: If I would be the host master of the domain bund.de with it's
> many subdomains and authorities would request that WKD, as an
> inexpensive inhouse option, has to be set-up...
> IMHO that would be the same case, if I am not mistaken.

No, it's not.

Even if there's foo.bund.de, then there wouldn't be openpgpkey.foo.bund.de 
(unless foo.bund.de sets up the advanced variant of WKD).

The problem with GitHub pages is apparently that openpgpkey.sac001.github.io 
resolves to an IP address (well, actually multiple addresses):

$ host openpgpkey.sac001.github.io
openpgpkey.sac001.github.io has address
openpgpkey.sac001.github.io has address
openpgpkey.sac001.github.io has address
openpgpkey.sac001.github.io has address

$ host -t A bsi.bund.de
bsi.bund.de has address

$ host -t A openpgpkey.bsi.bund.de
openpgpkey.bsi.bund.de has no A record

and therefore WKD would fall back to the direct method for bsi.bund.de.


More information about the Gnupg-users mailing list