WKD for GitHub pages

André Colomb andre at colomb.de
Tue Jan 12 11:27:57 CET 2021

On 12/01/2021 09.25, Stefan Claas via Gnupg-users wrote:
> It would be nice to know why the advanced method was added. In case
> the direct method would not be sufficent or would have security issues
> I would think that than one replaces the direct method with advanced
> one and then we only need only one method, in order that this works.

A domain is not automatically tied to a webserver.  It might so far only
be used for e-mail and just to set up WKD, one might not want to run a
webserver under the second-level domain itself.  Therefore the
standardized "openpgpkey" subdomain, which can easily point to a
different IP.  That makes it easy to completely separate the
infrastructure needed for WKD from anything else, like a webserver for a
web page, webmail or other services.

In addition, that separate server might serve WKD keys for a bunch of
different domains through redirects, hence it makes sense to separate
the URLs per domain.  It just gives the admin additional flexibility by
not forcing them to make a certain URL under the main domain work.

> And if we must have two methods, why is the order not, like one would
> think: check direct first and if this does not work check advanced?
> I must admit I do not understand the programming logic.

That's easy: If openpgpkey.example.org exists, we can be certain that
example.org exists as well.  So the check for the openpgpkey subdomain
must come first if its mere existence decides which method is tried.
Otherwise you would get HTTPS connections for every WKD request on the
example.org server, which fail if the direct method is not supported.
Just to make another HTTPS connection to openpgpkey.example.org to try
the advanced method next.  That's a lot of overhead on both the client
and server side, compared to the two DNS queries you need to make either

Hope that helps.

From: André Colomb <andre at colomb.de>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210112/99af6987/attachment.sig>

More information about the Gnupg-users mailing list