WKD for GitHub pages

Stefan Claas spam.trap.mailing.lists at gmail.com
Tue Jan 12 20:40:24 CET 2021

On Tue, Jan 12, 2021 at 8:17 PM André Colomb <andre at colomb.de> wrote:
> Hi Stefan,

> So there are two "bugs" involved here.  1. GitHub presenting an invalid
> certificate for the sub-subdomain and 2. Sequoia not noticing that.
> Neither of these are bugs in GnuPG.  If you can accept these facts, then
> it makes sense to further discuss what could be changed where to make
> your desired setup work.  Maybe that discussion will lead to a concise
> change proposal.

Hi Andre, currently I can only accept the fact that these two "bugs" are
currently not resolved in GnuPG and gpg4win, if you allow me to
formulate it this way. I desperately hope that this thread will lead to a
fruitful outcome, for GnuPG and gpg4win users, while I personally
could care less, because I just checked yesterday the latest sq
version and I am happy that it works.

> One more question: You're talking about OpenPGP key discovery setups for
> families and small groups, IIUC.  And that should involve WKD and
> GitHub.  But how should these people actually get working e-mail
> addresses @example.github.io?  WKD very specifically ties the key
> discovery to the control over the involved domain.  It moves part of the
> trust relationship to the domain administrator.  So who is actually in
> control over those e-mail addresses?

Good question Andre! In case of github.io there is apprently no
email address, which is IMHO a good thing if people like to
set-up a github.io page and do not want to reveal their real
email address, to third parties, which is IMHO their good right,
in case they like to use this github.io pub key as multi-purpose
key, let's say for multiple email accounts, from other services,
file transfer, NFC postcards, you name it.

Let's say as an example for gnupg.org. If am not mistaken
dev.gnupg.org has a different cert as gnupg.org. Let's assume
also that gnupg.org would come up with the idea of running
keys.gnupg.org. I strongly believe that a (purchased) SSL
cert for gnupg.org, covering wildcard subdomains, like GitHub's
cert is neither wrong nor does it cause any security implications,
when the direct method is used.

Speaking of overhead, I must admit (again) I do not understand
what this is or what this can cause for a server maintainer or
a GnuPG or gpg4win user, when I for example can fetch my
pub key with sequoia real quick, because in binary form these
are only a couple of bytes and I strongly believe that a simple
directory structure, holding some files, on a web server has no
issues either.

> I hope this mail will not upset you.  Just trying to clarify what you
> might have misunderstood that leads to people not understanding or
> agreeing with your proposal.  I don't mind to be proven wrong if it was
> in fact my misunderstanding.

Of course not and I appreciate if this issue can be discussed further!

Best regards

More information about the Gnupg-users mailing list