WKD & Sequoia

André Colomb andre at colomb.de
Wed Jan 13 20:25:49 CET 2021

On 13/01/2021 17.56, Stefan Claas wrote:
>> What are droplets?  For which domain did you generate a wildcard
>> certificate?  What are the DNS settings on that domain?  I could take a
>> look at what responses are returned from the real domain, but need some
>> information at least which OpenPGP user ID should be fetchable over WKD
>> from that domain.  If you're even interested in learning about how to
>> set up WKD properly.
> Digital Ocean calls their VPS servers droplets and If I would set them up
> as a test rig, I would use three, like '300baud.de', 'foo.300baud.de'
> and 'bar.300baud.de'. In 300baud.de I would set up the WKD directory and
> the SSL cert, with an entry for wildcard subdomains which would cover then
> hosts foo and bar. In the WKD directory I would put then a couple of keys with
> proper sample email addresses from all three hosts.

That's a lot of "ifs".  Right now, 300baud.de has neither A nor AAAA nor
CNAME record, so there is no server IP address to contact.  Obviously
there is also no wildcard record either, as e.g. www.300baud.de does not
resolve.  It's not clear to me which (sub)domain you would want to use
in a fictional OpenPGP key's user ID?

> With this set-up, without noodling around with records settings at my domain
> service (for ease of use and managing WKD) I stronly assume that this
> set-up follows the direct method and works with sequoia-pgp properly and
> should fail currently with GnuPG and gpg4win,same as it fails with GitHub.

It's actually pretty easy.  If the openpgpkey... subdomain resolves
(explicit entry or DNS wildcard), then the advanced method is used.
Otherwise the simple method.  That's the only difference, and it does
not depend on whatever your certificate contains.

Depending on the chosen method, you need to make sure that there is a
web server answering with a *valid* TLS certificate and with the proper
expected directory structure.  There is no reason at all to "strongly
assume" any malfunction or bug in GnuPG and I assure you that it's
possible to make either method work.

The only difference for Sequoia is that it ignores your expressed intent
to use the advanced method if something is misconfigured, and falls back
to the simple method.  GnuPG does not do that, because it correctly
follows the specification word by word.

> IIRC the (old) WKD specs did not mention nor did they said that it was required
> to noodle around witth domain settings, regarding the openpgpkey folder when
> setting up records for hosts with a domain service provider.

WKD is still an Internet *Draft*, so it's expected to find corner cases
like yours that are not yet 100 % unambiguous.  That's what the drafting
process and public discussion is intended for.  Different
interpretations should not be possible, and you found a case where
Sequoia and GnuPG really do differ.  But it still does *not* say one
needs to "noodle around with domain settings".  It points you to the
right spice to add just in case your domain settings are already a
noodle soup.

Kind regards

From: André Colomb <andre at colomb.de>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210113/abf14474/attachment-0001.sig>

More information about the Gnupg-users mailing list