WKD proper behavior on fetch error

raf gnupg at raf.org
Sun Jan 17 00:06:20 CET 2021

On Sat, Jan 16, 2021 at 02:20:17AM +0100, Stefan Claas <spam.trap.mailing.lists at gmail.com> wrote:

> On Sat, Jan 16, 2021 at 1:45 AM raf via Gnupg-users
> <gnupg-users at gnupg.org> wrote:
> > But there is no certificate that covers that sub-sub-domain.
> > That's why browsers complain if you go to
> > https://openpgpkey.sac001.github.io/.
> A quick question, if you don't mind. Why do people here on this ML
> insist on a sub-sub domain, named openpgpkey?

Because that's how WKD is defined to work.

> Have you ever maintained a web server?

Yes (but that's not really relevant).

> I am not using the html protokoll that much, but for me the openpgpkey
> part in, the for me fictious, URL, causes this error, because GnuPG or
> gpg4win is looking for this.

It's not fictitious. WKD client try to resolve it (i.e.
look it up via the DNS protocol), and github's DNS
servers successfully return several IP addresses for it.
Therefore, as far as github, the owner of the domain, is
concerned, it is real and therefore not fictitious.

> I ask, because for me the proper URL would be:
> https://sac001.github.io/.well-kown/openpgpkey/etc..

What you refer to as "proper" is just the direct method.
That's only half of the WKD protocol. There is also the
advanced method. Both methods together comprise the WKD

> And therefore I see absolutely no reason why GitHub or anybody
> else should change their valid SSL cert(s) or do elsewhere some
> mumbo jumbo, so to speak.

If their SSL cert were valid for your sub-sub-domain,
there would be no reason to change, but as has been
pointed out many many times, their certificate is only
valid for the domains that it is valid for. It is not
valid for anything else, and the domain
openpgpkey.sac001.github.com is one of the domains for
which github's certificate is not valid.

If this seems like mumbo jumbo to you, please accept
that it really isn't. It's just that you aren't
familiar enough with all of the protocols involved. And
if that's the case, you can't with any confidence
assert that github's certificate is valid (for anything
other than the domains that are bound to the

> And even if people had to set-up this extra steps for the advanced
> method than at least there is still some room for explaining while
> then using also the direct method, or not, because of the name
> 'advanced', which tells me it has higher priotity than direct.

It has been explained a few times already. But if the
explanations aren't making sense, perhaps you need more
background information in order to understand the
explanations that have been given. Perhaps you could
read up on DNS and TLS and WKD. I'd recommend the
O'Reilly books on Bind and OpenSSL. There are probably
free online resources but those books are good. But
maybe I just like books for learning big new subjects.
And also the WKD draft, of course. Sorry to suggest a
pile of reading material, but I can't think of a better
way to learn the relevant topics.

> I must say good night now.
> Best regards
> Stefan


More information about the Gnupg-users mailing list