WKD Research: Measuring use. An mailinglist maintainers that would help?

Bernhard Reiter bernhard at intevation.de
Sat Oct 23 17:19:50 CEST 2021 

Hi Erich,

Am Freitag, 22. Oktober 2021, 19:17:07 CEST schrieb Erich Eckner via Gnupg-
users:

> There are two parts of the usage: The publishing part and the
> search-for-and-use-if-available part. Both need separate measurements, I
> think.

Yes, though we want to focus on the latter part.
 
> > One idea is: If we have a public email address where a lot of emails are
> > send to, e.g. the submission address of a mailinglist
> > we could set up an OpenPGP key for it via WKD
> > and use a small tool to pipe each incoming mail through on the server
> > to decrypt and count the mail.
> 
> Wouldn't this break DKIM signatures on the mail?

Good question.
Mailman as a popular mailinglist software, already modifies mails, thus may 
break these DKIM signature. I need to do more research on this concern.
(Here is an old Mailman Discussion https://wiki.list.org/DEV/DKIM)

> Just to be clear: You intend to send the encrypted mail through the mailing
> list as usual, right?

Yes, unencrypted, of course.

> Also: This would only cover mailing lists and thus skew the results. What
> about organizations, that use WKD in-house, but whose members rarely write
> to mailing lists?

If you have any ideas how to do a direct or indirect measurement, I'd like to 
hear about them. 
  
> If you want to fiddle around with mailservers, I would prefer your second
> approach: You measure the requests to the webserver, but actually don't
> offer a key via WKD - thus, the email flow is undisturbed, but you still
> get your metrics.

True, using the weblogs may give some indications. However
it does not measure if the clients later actually would understand the pubkey 
and send encrypted emails and an advanced client may cache the results of a 
WKD request for a limited time.
 
> For measuring the publishing part, one could actively query for WKD on
> known MX domains.

(As written above, the work is more focused on the client, but following up 
your suggestion: That they offer a WKD in principle does not say much about 
how many email addresses actually offer a key, as we cannot walk them and need 
an email address before we could actually do a real query. Otherwise, would be 
interesting to see if there are more prominent WKD offers out there.)

> For measuring the usage part, I think, it's more valuable to have a look
> at available software and their features: How many people use mail client
> X, and does X have WKD enabled by default or can it use WKD at all / as a
> fallback / ...

This is a good suggestion, Christoph is already doing this since a while.

Thanks for your feedback!

Best Regards,
Bernhard
ps.: I've chosen to have this discussion in gnupg-users,  where me and 
Christoph are subscrubed.
-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211023/7a5774b3/attachment.sig>

More information about the Gnupg-users mailing list