WKD proper behavior on fetch error
angel at pgp.16bits.net
Sat Jan 16 02:25:14 CET 2021
On 2021-01-15 at 20:34 +0100, Stefan Claas via Gnupg-users wrote:
> If you or someone else set's up a web server, for a big organisation
> or for yourself, you simple put in the .well-known folder some
> content which would look most likely then like this:
> http://domain.tld/.well-known/etc... or maybe
Right. For instance, you would use either
> If someone writes now a program which needs to access content in the
> well-known folder, why does a software author needs to implement two
> methods to access the well-known folder? This part for example I do
> not understand, because if one method is not good or secure enough I
> would simply drop one method an implement only the more secure and
> more reliable one, or not?
Because the specification says that it can be in those two places. It
could have stated only one, or a dozen. Or even, "start following links
from the main index and stop after you find the first pgp key".
> The situation we now have is that we have two popular OpenPGP apps
> which handle the access to the well-known openpgp directory
> differently, which nobody can deny.
They differ *slightly*. Only if the first location exists but fails.
But yes, they differ, as agreed by everyone.
> I for example can say I don't care about a draft and happily promote
> sequoia-pgp usage over GnuPG usage, in case OpenPGP users would like
> to use GitHub and WKD for a multi-purpose OpenPGP too. That would
> Werner and a couple of other probably pi*#-off very much but I do not
> have done something wrong and people are allowed to do the same.
Of course, you could. Or you could simply say: the pgp key of
<user>@<domain>.com shall be at https://www.<domain>.com/<user>.pub
That would be following a completely different "standard", but it would
be perfectly fine, too. The beauty of standards is to get everyone
following the same rules and not a https://xkcd.com/927/ situation
A standard allows people to know where to place their keys in a place
it will be looked for, and the clients to know where they should look
for them and how to act.
> My intention was only to promote WKD OpenPGP usage for github.io
> pages in case people like the idea.
This was a good idea, but github pages don't seem to support being used
for WKD (due to the mentioned wildcard issues).
More information about the Gnupg-users