WKD proper behavior on fetch error

André Colomb andre at colomb.de
Thu Jan 14 09:02:14 CET 2021 

Hi Ángel,

thanks for your contribution with a clear focus.

On 14/01/2021 01.47, Ángel wrote:
> Probably the most important part of the rule: "all implementations of
> WKD should behave in the same way". I don't mind if it was gnupg that
> was changed to behave like sequoia, but given identical conditions,
> ideally all clients (and the draft reading) should produce the same
> result (find key X, an error, etc.).

I agree with that.  And the next draft version SHOULD be very clear
about this to avoid future discussions :-)

> I would recommend to remove the or_else case and fail with an error if
> the advanced method is (supposedly) set up but fails. At least, I think
> there should be a diagnostic e.g. "WKD advanced method configured but
> broken. Connection to openpgpkey.foo.com (1.2.3.4) failed: Bad
> certificate. Trying direct method" although I would prefer a hard
> error.

Definitely, the decision which method to try should be very simple, as
the WKD draft intended.  Only one decision point instead of many paths
leading back to a change of method.

> (Of course, if the user explicitly requested the client/library to only
> use the direct method, ignore certificate errors, etc. it'd be fine to
> do so)

That's an excellent suggestion, giving Sequoia an option to force trying
one method or the other.  I don't know if adding as many command line
switches as gpg has is your cup of tea, but e.g. an environment variable
could be used to really make it a "debugging" type of option.  The great
benefit is that Sequoia can then act as a WKD checker, which should
always examine the intended, but possibly misconfigured, method or even
both.

> PPS: Another benefit would be that we could have avoided this long
> thread. :-)

I couldn't resist trying to help Stefan understand where the error lies,
so apologies for my share of the message flood :-)

Kind regards
André

-- 
Greetings...
From: André Colomb <andre at colomb.de>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210114/5363296d/attachment-0001.sig>

More information about the Gnupg-users mailing list