WKD for GitHub pages

Ángel angel at pgp.16bits.net
Sun Jan 10 17:54:28 CET 2021

On 2021-01-09 at 23:40 +0100, Stefan Claas via Gnupg-users wrote:
> Well, I wish Werner would chime in, because what I really don't
> understand why do we have two options, instead of one and why is the
> advanced method the first one to be checked, if we have as first one
> the direct method, which would tell me, as laymen, that a software
> would start first with the 'easier' method.

The way it is defined, it makes complete sense. The advanced method
allows a finer control. For example, you could have your web page in
one hosting (such as a CDN you may not trust too much) and your pgp
keys in a different host that you could consider more trustworthy.

The terms easy and advanced refers to the difficulty of setting it up.
Normally, creating a subdomain would be more complex (you need to
create a second dns record, perhaps also create a new VirtualHost…). It
is more powerful, but it's less accessible.

You need to check the first, since the bare domain is pretty much
guaranteed to exist, even without relation to openpgp keys. Plus, with
the above, your lack of trust could be e.g. that you don't want them 
-for privacy reasons- to know which keys are being fetched. Using a
separated host that is tried first solves it. 

> Fact for me is, I do have a site, which users shows a valid SSL cert
> and sequoia-pgp honors this, while GnuPG and gpg4win do not honor
> this and give a cert error for IMHO a second option GnuPG and gpg4win
> offers.

sequoia is in the wrong here. You don't have a valid SSL cert for
openpgpkey.sac001.github.io Either they are not supporting the advanced
method (maybe they follow an older draft?) or they ignore the
certificate failure (which would be quite bad).

The issue here is why github is publishing subdomains that nobody can
use, anyway. This would usually be harder (why create a openpgp
subdomain if you don't want it?), but GitHub configuration is already
sufficiently advanced that it breaks this (it was simpler for them to
configure their nameservers to also return that for subdomains?).


More information about the Gnupg-users mailing list