WKD proper behavior on fetch error

André Colomb andre at colomb.de
Fri Jan 15 07:56:26 CET 2021

Am 15. Januar 2021 01:56:04 MEZ schrieb raf via Gnupg-users <gnupg-users at gnupg.org>:
>But of course, you're not asking for that. You're just
>asking for something to work. There must be other ways.
>Accepting invalid certificates might just have been my
>first thought at how to deal with this. But that would
>enable the advanced method to work (in situations where
>it shouldn't). If I remember correctly (possibly not),
>you wanted the direct method to work, and github.io's
>mis-configuration of certificates caused the advanced
>method to be attempted and fail, before the direct
>method could even be attempted.

I'll try to complete your summary. The DNS wildcard entry for *.example.github.io leads to the advanced method being tried. We can't change that entry, and therefore with the current protocol draft, it makes no sense forcefully wanting to use the direct method. 

It's easy to set up the advanced method there. But GitHub uses an invalid TLS certificate for openpgpkey.example.github.io. That's what needs fixing and it is also out of our control.

So basically Stefan's request is to change the protocol to work around a misconfiguration because both DNS and the TLS certificate are controlled by a company that offers the service totally unrelated to WKD. Such a workaround could hurt the ecosystem because it may hide a misconfiguration in setups where the operator does have control over these things and just needs to notice. 

>OK. I just had a look at https://wiki.gnupg.org/WKD and
>it doesn't refer to "advanced" or "direct" methods. It
>seems to consider the "direct" method as the main
>method, and the "advanced" method as a "Stopgap method"
>which is "Not recommended - but a temporary
>workaround". So having an additional mechanism to
>disable the "advanced" method sounds reasonable. Or
>maybe the wiki page needs to be updated(?).

Sorry, you just misread that part. The stopgap solution is to use a server operated by openpgp.org instead of your own web server. For that to work, you must set up the advanced method for WKD on your domain's DNS. That method is perfectly fine and in some scenarios even easier to use.

Kind regards

Hi raf,

thanks for your perspective on the matter.

From: André Colomb <andre at colomb.de>

More information about the Gnupg-users mailing list