WKD for GitHub pages

Stefan Claas spam.trap.mailing.lists at gmail.com
Tue Jan 12 18:05:49 CET 2021

On Tue, Jan 12, 2021 at 5:36 PM Ingo Klöcker <kloecker at kde.org> wrote:
> On Dienstag, 12. Januar 2021 12:47:59 CET Stefan Claas via Gnupg-users wrote:
> > On Tue, Jan 12, 2021 at 12:43 PM Andrew Gallagher <andrewg at andrewg.com>
> wrote:
> > > Yes, WKD is great. But as André has explained, there is an overhead cost
> > > (to everyone) for trying the direct method first, so inverting this to
> > > work around the side effects of an experiment that's tied to one
> > > particular vendor's service is a *huge* ask.
> >
> > Well, I am not sure about the details for a server or a user when it comes
> > to overhead and if you mean with one particular vendow GitHub, well
> > that may be the beginning, for such request. But like I mentioned if people
> > would wish to manage key distribution themselves, without using third
> > parties, like Hagrid or hokeypuck or even running such software and
> > servers I strongly believe that WKD could be an excellent choice, if
> > this would be fixed.
> Why do you think anything needs to be changed in gpg? The problem isn't the
> implementation of WKD in gpg. The problem is that GitHub serves sub-sub-
> subdomains like openpgpkey.sac001.github.io with an invalid TLS certificate.
> It's not only gpg that complains.
> ===
> $ curl https://openpgpkey.sac001.github.io
> curl: (60) SSL: no alternative certificate subject name matches target host
> name 'openpgpkey.sac001.github.io'
> More details here: https://curl.se/docs/sslcerts.html
> curl failed to verify the legitimacy of the server and therefore could not
> establish a secure connection to it. To learn more about this situation and
> how to fix it, please visit the web page mentioned above.
> ===
> It's easy for people to manage key distribution themselves with WKD. All they
> have to do is setup WKD with or without openpgpkey subdomain with valid (!!!)
> TLS certificates.

Hello Ingo,

please ... openpgpkey is *not* a part of a real (sub)domain, which a
user of any domain service has to define in a record.

Please accept also that a modern OpenPGP software like sequoia-pgp
can handle this *adequately* with the direct method first!

Additionally I have received from GitHub a very nice reply, which I and
I guess all will accept here!

Quote: "... however I don't believe GitHub is in a position to try and persuade
a software author to change or fix their software."

So the last thing besides here discussing the issue with the community is
to file a bug report at: https://dev.gnupg.org/

At least the global OpenPGP community is now aware of my proposal
and I repeat here once again: GitHub (which I am not affiliated with in
any form) has a *proper* SSL cert and github.io pages are properly
working subdomain sites, wiich GnuPG's and gpg4win's WKD implementation
can not handle, while modern OpenPGP implementations like
sequoia-pgp can handle this. BTW. I am also not affiliated in any form with
sequoia or the pep foundation etc.

Best regards

More information about the Gnupg-users mailing list