WKD for GitHub pages

Ingo Klöcker kloecker at kde.org
Tue Jan 12 17:31:21 CET 2021

On Dienstag, 12. Januar 2021 12:47:59 CET Stefan Claas via Gnupg-users wrote:
> On Tue, Jan 12, 2021 at 12:43 PM Andrew Gallagher <andrewg at andrewg.com> 
> > Yes, WKD is great. But as André has explained, there is an overhead cost
> > (to everyone) for trying the direct method first, so inverting this to
> > work around the side effects of an experiment that's tied to one
> > particular vendor's service is a *huge* ask.
> Well, I am not sure about the details for a server or a user when it comes
> to overhead and if you mean with one particular vendow GitHub, well
> that may be the beginning, for such request. But like I mentioned if people
> would wish to manage key distribution themselves, without using third
> parties, like Hagrid or hokeypuck or even running such software and
> servers I strongly believe that WKD could be an excellent choice, if
> this would be fixed.

Why do you think anything needs to be changed in gpg? The problem isn't the 
implementation of WKD in gpg. The problem is that GitHub serves sub-sub-
subdomains like openpgpkey.sac001.github.io with an invalid TLS certificate.

It's not only gpg that complains.

$ curl https://openpgpkey.sac001.github.io
curl: (60) SSL: no alternative certificate subject name matches target host 
name 'openpgpkey.sac001.github.io'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

It's easy for people to manage key distribution themselves with WKD. All they 
have to do is setup WKD with or without openpgpkey subdomain with valid (!!!) 
TLS certificates.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210112/80b7d795/attachment.sig>

More information about the Gnupg-users mailing list