WKD for GitHub pages

[Damien Goutte-Gattat]

On Tue, Jan 12, 2021 at 09:25:15AM +0100, Stefan Claas via Gnupg-users 
wrote:
>It would be nice to know why the advanced method was added.

To give more flexibility for people setting up a WKD for more than one 
domain.

Let’s say that I manage example.org and example.net, and I want to serve 
keys for addresses in both domains. With the “direct” method, I need to 
set up two distinct WKD servers, one for each domain. With the 
“advanced” method, I can set up a single server and make 
openpgpkey.example.org and openpgpkey.example.net point to that single 
server.

(SRV records would be the modern and proper way to provide such a level 
of indirection, instead of a subdomain. And indeed, previous versions of 
the WKD draft relied on SRV records. Unfortunately, resolving SRV 
records was problematic for some implementers using some limited 
languages with limited DNS capabilities, so they were scrapped in favor 
of the subdomain approach.)


>the direct method would not be sufficent or would have security issues
>I would think that than one replaces the direct method with advanced
>one and then we only need only one method, in order that this works.

If you have only one domain to manage and don’t need the indirection 
provided by the advanced method, the direct method is still perfectly 
fine, why replace it?

>And if we must have two methods, why is the order not, like one would
>think: check direct first and if this does not work check advanced?

I don’t know, it feels more logical to me to look for an indirection 
*first*, and only if there’s no indirection you then look at the target 
domain itself.


- Damien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210112/d7d4dd47/attachment-0001.sig>