WKD for GitHub pages

Stefan Claas spam.trap.mailing.lists at gmail.com
Tue Jan 12 22:17:13 CET 2021

On Tue, Jan 12, 2021 at 10:09 PM Daniele Nicolodi <daniele at grinta.net> wrote:
> On 12/01/2021 20:40, Stefan Claas via Gnupg-users wrote:
> > On Tue, Jan 12, 2021 at 8:17 PM André Colomb <andre at colomb.de> wrote:
> >>
> >> Hi Stefan,
> >
> >> So there are two "bugs" involved here.  1. GitHub presenting an invalid
> >> certificate for the sub-subdomain and 2. Sequoia not noticing that.
> >> Neither of these are bugs in GnuPG.  If you can accept these facts, then
> >> it makes sense to further discuss what could be changed where to make
> >> your desired setup work.  Maybe that discussion will lead to a concise
> >> change proposal.
> >
> > Hi Andre, currently I can only accept the fact that these two "bugs" are
> > currently not resolved in GnuPG and gpg4win, if you allow me to
> > formulate it this way.
> How can GPG solve bugs that are not in the GPG code or infrastructure? I
> think André did a great job explaining what the issues are. How do you
> think they can be addressed by GPG?

If you followed the whole thread you may agree that GnuPG and gpg4win,
due to the way of how WKD is implemented does not allow wildcard (sub)domains,
when fetching a pub key from, for example, github.io pages, because it gives
a cert error for a *valid* SSL cert, while other OpenPGP software,
like sequoia-pgp,
can handle this.

I suggest that you or any other persons ask this question Werner, the author
of GnuPG and IIRC the wkd-draft author or you ask the sequoia
team how they implemented WKD, because sq.exe does it's job.


More information about the Gnupg-users mailing list