WKD proper behavior on fetch error

Stefan Claas spam.trap.mailing.lists at gmail.com
Sun Jan 17 00:28:31 CET 2021

On Sun, Jan 17, 2021 at 12:09 AM raf via Gnupg-users
<gnupg-users at gnupg.org> wrote:
> On Sat, Jan 16, 2021 at 02:20:17AM +0100, Stefan Claas <spam.trap.mailing.lists at gmail.com> wrote:
> > On Sat, Jan 16, 2021 at 1:45 AM raf via Gnupg-users
> > <gnupg-users at gnupg.org> wrote:
> >
> > > But there is no certificate that covers that sub-sub-domain.
> > > That's why browsers complain if you go to
> > > https://openpgpkey.sac001.github.io/.
> >
> > A quick question, if you don't mind. Why do people here on this ML
> > insist on a sub-sub domain, named openpgpkey?
> Because that's how WKD is defined to work.
> > Have you ever maintained a web server?
> Yes (but that's not really relevant).
> > I am not using the html protokoll that much, but for me the openpgpkey
> > part in, the for me fictious, URL, causes this error, because GnuPG or
> > gpg4win is looking for this.
> It's not fictitious. WKD client try to resolve it (i.e.
> look it up via the DNS protocol), and github's DNS
> servers successfully return several IP addresses for it.
> Therefore, as far as github, the owner of the domain, is
> concerned, it is real and therefore not fictitious.
> > I ask, because for me the proper URL would be:
> >
> > https://sac001.github.io/.well-kown/openpgpkey/etc..
> What you refer to as "proper" is just the direct method.
> That's only half of the WKD protocol. There is also the
> advanced method. Both methods together comprise the WKD
> protocol.

And in the case of GnuPG and gpg4win it does not work
like one would expect, if the direct method is part of the
protocol, because it will not be triggered if an error occurs
with the advanced method.

> > And therefore I see absolutely no reason why GitHub or anybody
> > else should change their valid SSL cert(s) or do elsewhere some
> > mumbo jumbo, so to speak.
> If their SSL cert were valid for your sub-sub-domain,
> there would be no reason to change, but as has been
> pointed out many many times, their certificate is only
> valid for the domains that it is valid for. It is not
> valid for anything else, and the domain
> openpgpkey.sac001.github.com is one of the domains for
> which github's certificate is not valid.

And that is correct and as we all have seen GnuPG and
gpg4win are not falling back to the valid direct method, while
sequoia-pgp does and gives satisfactory results. That
simple... :-)
> If this seems like mumbo jumbo to you, please accept
> that it really isn't. It's just that you aren't
> familiar enough with all of the protocols involved. And
> if that's the case, you can't with any confidence
> assert that github's certificate is valid (for anything
> other than the domains that are bound to the
> certificate).

You know what I like in the whole discussion most ,that people
always assume, when trying to convince me, that like
you say, that I am not familiar enough with this and
that and when I counter argument that I do not yet have received
here a simple answer, for all laymens here reading, why
can GnuPG or gpg4win not fallback or test the availabilty
of the direct-method? I thing it is a quite simple question
and nor Werner or anybody else can, so it seems, answer
this. The only satisfactory and honest answer came only
from Neal so far, explaining why it properly works with

> > And even if people had to set-up this extra steps for the advanced
> > method than at least there is still some room for explaining while
> > then using also the direct method, or not, because of the name
> > 'advanced', which tells me it has higher priotity than direct.
> It has been explained a few times already. But if the
> explanations aren't making sense, perhaps you need more
> background information in order to understand the
> explanations that have been given. Perhaps you could
> read up on DNS and TLS and WKD. I'd recommend the
> O'Reilly books on Bind and OpenSSL. There are probably
> free online resources but those books are good. But
> maybe I just like books for learning big new subjects.
> And also the WKD draft, of course. Sorry to suggest a
> pile of reading material, but I can't think of a better
> way to learn the relevant topics.

You can assume what ever you like and try to convince me,
but sorry to say this, fact is sequoia-pgp works and GnuPG
and gpg4win does not.

My advise would be that Werner thinks of proper wildcard
subdomain support, like my Github case and as already
suggested (as I have seen now) to give WKD users are
*clear* picture.

P.S. I have no problems to discuss here with everybody
this thread more, even if it is getting now a bit boring
for me. I do accept however mistakes I publicity make
or have made here, but at least the interested reader
gets a good overview how things 'work' in the GnuPG
ecosystem, if you understand what I mean ...

Best regards

More information about the Gnupg-users mailing list