WKD for GitHub pages

Ángel angel at pgp.16bits.net
Mon Jan 11 22:59:10 CET 2021

On 2021-01-11 at 16:36 +0100, Stefan Claas wrote:
> On Sun, Jan 10, 2021 at 11:22 PM Ángel wrote:
> > On 2021-01-10 at 18:47 +0100, Stefan Claas wrote:
> > > Can you tell me/us in laymen terms how this works with gnupg.org?
> > 
> > Sure. Let's suppose you wanted to fetch Werner's key. You want the
> > key
> > for wk at gnupg.org Using --with-wkd-hash parameter, we can see that
> > this
> > would generate nq6t9teux7edsnwdksswydu4o9i5es3f at gnupg.org
> > 
> > Then, the key of Werner lives at
> > https://openpgpkey.gnupg.org/.well-known/openpgpkey/gnupg.org/hu/nq6t9teux7edsnwdksswydu4o9i5es3f
> > 
> > If openpgpkey.gnupg.org didn't exist, then it would use the direct
> > schema, in which the key would be at
> > https://gnupg.org/.well-known/openpgpkey/hu/nq6t9teux7edsnwdksswydu4o9i5es3f
> Thanks, so I think the culprit could be that maybe the specs were
> changed, when I
> look at your links, including the gnupg.org domain as a folder, which
> I never set-up
> when doing this for my 300baud.de domain. I checked also older WKD
> tutorials
> on the Internet and they do not mention a domain folder either.
> I tried to include this domain folder, this morning, named sac001 but
> it did not work either, whether with GnuPG or sequioa-pgp.
> So my guess is that GnuPG gives this cert error because it does not
> support
> wildcard subdomains, included in an SSL cert, like the GitHub one.

The folder with the domain name is only used in the advanced method.
Compare how the url using openpgpkey.gnupg.org above has a gnupg.org
folder but the url of gnupg.org doesn't.

In your case, you would place your key at


or -if openpgpkey.300baud.de doesn't exist- at


note that in both cases, you still need a file named policy in the same
folder that contains hu/ (just create an empty file, but it must be

The advanced method was added in November 2018, 2.5 years ago, in
version 7 of the draft:

It's true that draft-koch-openpgp-webkey-service doesn't specify that
the https certificate must be valid. One would generally expect that
https:// with no, normal rules would apply, although there is a history
of ignoring certificate validation if keys are going to be validated
through WoT. The "make a CNAME of your openpgpkeys subdomain to
wkd.keys.openpgp.org" couldn't work with https certificate validation,
thouth (or are they requesting a certificate on-the-fly?)
Actually, I suspect that depending on how you build gnupg, it would
validate them or not.

Best regards

More information about the Gnupg-users mailing list