WKD & Sequoia

Stefan Claas spam.trap.mailing.lists at gmail.com
Wed Jan 13 17:56:01 CET 2021 

On Wed, Jan 13, 2021 at 4:36 PM André Colomb <andre at colomb.de> wrote:
>
> Hi Stefan,
>
> On 13/01/2021 17.07, Stefan Claas wrote:
> > On Wed, Jan 13, 2021 at 10:22 AM André Colomb <andre at colomb.de> wrote:
> >
> >> So the core problem, as with Stefan's case, is the lack of control over
> >> the domain's DNS settings.  Which the WKD mechanism relies upon to
> >> delegate trust to the domain operators.
> >
> > Hi Andre, I wouldn't formulate it this way. I already mentioned that I am able
> > to set up for my 300baud.de domain a couple of droplets and use as suggested
> > a valid wildcard subdomain cert, like I explained with the bund.de example and
> > I am pretty sure that GnuPG and gpg4win will then fail, same as with GitHub.
>
> Sorry, I have no clue what is configured, what works and what should
> work regarding WKD on your 300baud.de setup.  Can we please stick to one
> real example, not something made up about bund.de?
>
> What are droplets?  For which domain did you generate a wildcard
> certificate?  What are the DNS settings on that domain?  I could take a
> look at what responses are returned from the real domain, but need some
> information at least which OpenPGP user ID should be fetchable over WKD
> from that domain.  If you're even interested in learning about how to
> set up WKD properly.

Digital Ocean calls their VPS servers droplets and If I would set them up
as a test rig, I would use three, like '300baud.de', 'foo.300baud.de'
and 'bar.300baud.de'. In 300baud.de I would set up the WKD directory and
the SSL cert, with an entry for wildcard subdomains which would cover then
hosts foo and bar. In the WKD directory I would put then a couple of keys with
proper sample email addresses from all three hosts.

With this set-up, without noodling around with records settings at my domain
service (for ease of use and managing WKD) I stronly assume that this
set-up follows the direct method and works with sequoia-pgp properly and
should fail currently with GnuPG and gpg4win,same as it fails with GitHub.

IIRC the (old) WKD specs did not mention nor did they said that it was required
to noodle around witth domain settings, regarding the openpgpkey folder when
setting up records for hosts with a domain service provider.

Regards
Stefan

More information about the Gnupg-users mailing list