WKD & Sequoia

[Stefan Claas]

On Wed, Jan 13, 2021 at 7:26 PM André Colomb <andre at colomb.de> wrote:
>
> On 13/01/2021 17.56, Stefan Claas wrote:
> >> What are droplets?  For which domain did you generate a wildcard
> >> certificate?  What are the DNS settings on that domain?  I could take a
> >> look at what responses are returned from the real domain, but need some
> >> information at least which OpenPGP user ID should be fetchable over WKD
> >> from that domain.  If you're even interested in learning about how to
> >> set up WKD properly.
> >
> > Digital Ocean calls their VPS servers droplets and If I would set them up
> > as a test rig, I would use three, like '300baud.de', 'foo.300baud.de'
> > and 'bar.300baud.de'. In 300baud.de I would set up the WKD directory and
> > the SSL cert, with an entry for wildcard subdomains which would cover then
> > hosts foo and bar. In the WKD directory I would put then a couple of keys with
> > proper sample email addresses from all three hosts.
>
> That's a lot of "ifs".  Right now, 300baud.de has neither A nor AAAA nor
> CNAME record, so there is no server IP address to contact.  Obviously
> there is also no wildcard record either, as e.g. www.300baud.de does not
> resolve.  It's not clear to me which (sub)domain you would want to use
> in a fictional OpenPGP key's user ID?

There is currently no server running under my 300baud.de domain.
I had to shut them down due to recent changes in DO's TOS.
>
> > With this set-up, without noodling around with records settings at my domain
> > service (for ease of use and managing WKD) I stronly assume that this
> > set-up follows the direct method and works with sequoia-pgp properly and
> > should fail currently with GnuPG and gpg4win,same as it fails with GitHub.
>
> It's actually pretty easy.  If the openpgpkey... subdomain resolves
> (explicit entry or DNS wildcard), then the advanced method is used.
> Otherwise the simple method.  That's the only difference, and it does
> not depend on whatever your certificate contains.
>
> Depending on the chosen method, you need to make sure that there is a
> web server answering with a *valid* TLS certificate and with the proper
> expected directory structure.  There is no reason at all to "strongly
> assume" any malfunction or bug in GnuPG and I assure you that it's
> possible to make either method work.

Mmmh, probably we can discuss this *valid* until we get blue in the face ...
>
> The only difference for Sequoia is that it ignores your expressed intent
> to use the advanced method if something is misconfigured, and falls back
> to the simple method.  GnuPG does not do that, because it correctly
> follows the specification word by word.

Which would make sense to me and thankfully sequoia-pgp does this.

> > IIRC the (old) WKD specs did not mention nor did they said that it was required
> > to noodle around witth domain settings, regarding the openpgpkey folder when
> > setting up records for hosts with a domain service provider.
>
> WKD is still an Internet *Draft*, so it's expected to find corner cases
> like yours that are not yet 100 % unambiguous.  That's what the drafting
> process and public discussion is intended for.  Different
> interpretations should not be possible, and you found a case where
> Sequoia and GnuPG really do differ.  But it still does *not* say one
> needs to "noodle around with domain settings".  It points you to the
> right spice to add just in case your domain settings are already a
> noodle soup.

Draft, yes I know and I desperately hope with this whole thread that
Werner and most important OpenPGP users and organizations around
the globe think about this, because it could have IMHO a *major* impact
for OpenPGP key distribution, when it comes to easy set-up and maintaining
themselve a WKD service while not relying on third parties, like Hagrid or
later the hockeypuck Network, for whatever reasons people may have.

sequoia did the right step and I hope for people relying on GnuPG that
it is possible for them in the future too.

Best regards
Stefan