Please tackle the Right Thing (was: WKD Checker)

Stefan Claas spam.trap.mailing.lists at
Tue Jan 19 16:31:25 CET 2021

On Tue, Jan 19, 2021 at 11:15 AM Werner Koch <wk at> wrote:
> Stefan,
> It has been mentioned several time here that the use of the openpgpkey
> sub-domain is required to allow implementation of the Web Key Directory
> in browsers.  This is a real world use case and pretty important for web
> mailers like protonmail.
> I would suggest that you put your energy on a useful task instead of
> confusing people here with crude arguments why we should support invalid
> X.509 certificates for TLS connections.
> Thus go for Google and Mozilla and convince them that SRV records are
> important for many applications.  That is not just for the Web Key
> Directory but also for XMPP clients in a browser and many other modern
> protocols.  After that as been achieved we can eventually migrate back
> to SRV records.

Hello Werner,

What you or maybe other people here do not get, I accept that there is for
the advanced-method a requirement to use an openpgpkey subdomain part,
which a) is triggered first and b) as understood by Damien's reply was asked
for by some JavaScript programmers. This is perfectly fine! *But* when
there exists also a direct-method in you current draft, which people like
to use, when low on budged or which like to avoid, for whatever privacy
reasons they have, the openpgpkey subdomain part, they should be
IMHO allowed to use the direct-method only or at least GnuPG and
gpg4win should fallback to this method, if a cert error, according to
GnuPG's or gpg4win's WKD implementation occurs. I guess this would
be a <5 minute quick fix in your codebase.

Please try also to not use the term invald cert, if a cert is valid and only
is 'invalid' in the current way of how GnuPG and gpg4win handles your
WKD implementation. People know now that other OpenPGP apps can
handle my key, from my GitHUb page.

Best regards

More information about the Gnupg-users mailing list