WKD & Sequoia

Stefan Claas spam.trap.mailing.lists at gmail.com
Thu Jan 14 00:06:12 CET 2021

On Wed, Jan 13, 2021 at 11:45 PM André Colomb <andre at colomb.de> wrote:
> Am 13. Januar 2021 21:44:07 MEZ schrieb Stefan Claas via Gnupg-users <gnupg-users at gnupg.org>:
> >Hi Juergen,
> >
> >looks like you are a bit upset, like probably others as well.
> I hope others don't mind me speaking in their names. Stefan, we are upset by you making false accusations about which software does something right or wrong. Both softwares are reacting differently to an error which lies in your TLS certificate usage (as several people have proven multiple times). You're not even to blame for that root cause, because it is not under your control. Don't only look at the end result, but please try to understand that the cause lies deeper than just the spec or the clients you tried.

I am fully ok with that. All my replies here where not intended to
"accuse" someone! In my OP
I kindly asked if a kind soul can help me and IIRC it was mentioned
that the direct method
is fine and I figured out that GnuPG seems not to try the direct
method while sequoia-pgp
tries the direct method.

It had been *really* nice if Werner had chimed in, like Neal, and had
explained by himself
why this is a definetly a no-go to try the direct-method first, or in
case why when the advanced
method failed it does not try the direct method and what security
implications this has.

Maybe, I don't know, readers here on the ML are asking themselves now why do we
have two methods, e.g. what is their purpose and what informations can
one gain from
an IMHO very nice WKD checker, Wiktor has created.

If the draft will be changed in the future to only allow the advanced-method and
the direct-method will be dropped, ok, I have to accept this, for
GitHub usage and
whatever sites have a similar set-up and that's it. Then maybe a question, from
readers may come up, why it was dropped, when it was implemented in the first
place, regardless of GitHub etc.

> >I am not aware how their network is set-up and it is not my business,
> >but would you not agree that it would be very nice to have a wildcard
> >subdomain solution, for all their inhouse offices and employees email
> >addresses, while managing themselves key distribution?
> It's a little unclear what *exactly* you mean with "a wildcard subdomain solution". WKD can work perfectly with wildcards involved, both on the DNS and TLS levels. But such things can be misconfigured and the spec even explicitly mentions one possible pitfall including a solution.

I think I have explained, at least for an expert like you, my set-up
for 300baud.de, I would
use. As soon as time permits I will do this, even if this cost me
money I can spend for other things. But I gives me then a better
overview and I can correct myself while thinking my
set-up would be equally to GitHub's set-up. In case I get stucked I
would like to ask you
for advise. Please note: I will not use the advanced method, I like to
see if this will work
with sequoia-pgp and GnuPG.


More information about the Gnupg-users mailing list