WKD for GitHub pages

Daniele Nicolodi daniele at grinta.net
Tue Jan 12 21:24:59 CET 2021

On 12/01/2021 20:40, Stefan Claas via Gnupg-users wrote:
> On Tue, Jan 12, 2021 at 8:17 PM André Colomb <andre at colomb.de> wrote:

>> One more question: You're talking about OpenPGP key discovery setups for
>> families and small groups, IIUC.  And that should involve WKD and
>> GitHub.  But how should these people actually get working e-mail
>> addresses @example.github.io?  WKD very specifically ties the key
>> discovery to the control over the involved domain.  It moves part of the
>> trust relationship to the domain administrator.  So who is actually in
>> control over those e-mail addresses?
> Good question Andre! In case of github.io there is apprently no
> email address, which is IMHO a good thing if people like to
> set-up a github.io page and do not want to reveal their real
> email address, to third parties, which is IMHO their good right,
> in case they like to use this github.io pub key as multi-purpose
> key, let's say for multiple email accounts, from other services,
> file transfer, NFC postcards, you name it.

The point of WKD is using the trust of the CA machinery (and the
assumption that the email infrastructure and web servers serving a
specific domain are run by the same organization) to securely retrieve
OpenPGP keys associated to an email address. There keys can then be used
to communicate with the older of the email address.

The party in the communication are identified by email addresses.

In your scheme there are no email addresses. How is retrieving an
OpenPGP key from a random .github.io subdomain from obtaining it in any
other untrusted way? What is the line of trust in the scheme you are


More information about the Gnupg-users mailing list