Error when trying to locate key via WKD
Ingo Klöcker
kloecker at kde.org
Wed Oct 27 22:54:48 CEST 2021
[Putting this back on the mailing list. Please keep replies on the list.]
On Mittwoch, 27. Oktober 2021 21:20:03 CEST Christoph Klassen wrote:
> On 27.10.21 20:54, Ingo Klöcker wrote:
> > The important part is
> > 2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> GET
> > /.well-known/openpgpkey/mail.de/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6?l=chr
> > istoph-klassen HTTP/1.0\r\n i.e. in the URL that dirmngr requests there is
> > an additional "mail.de" between "/openpgp/" and "/hu/" that is missing in
> > your URL.
>
> That would be the advanced method of WKD (Here's the draft:
> https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/),
> which indeed doesn't work with my mail provider. But when I try the
> direct method (Example from the draft:
> https://example.org/.well-known/openpgpkey/
> hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe) I can get the key from my
> provider's WKD server. I admit I forgot the parameter in the URL I post.
>
> But that wasn't the point. My problem is that GnuGP couldn't get the key
> via WKD and I don't understand why because it seems like it should work.
The problem is that the domain openpgpkey.mail.de exists (or seems to exist)
although mail.de doesn't support the advanced method. The draft you mentioned
says:
There are two variants on how to form the request URI: The advanced
and the direct method. Implementations MUST first try the advanced
method. Only if the required sub-domain does not exist, they SHOULD
fall back to the direct method.
The advanced method requires that a sub-domain with the fixed name
"openpgpkey" is created and queried.
Because the sub-domain openpgpkey.mail.de exists (or rather, seems to exist),
gpg first tries the advanced method. This fails. gpg doesn't fall back to the
direct method as per the spec: "Only if the required sub-domain does not
exist, they SHOULD fall back to the direct method."
The problem is that mail.de redirects any sub-domain to mail.de, e.g.
`curl https://foobar.mail.de` is also redirected to `https://mail.de`. The
problem with wildcard sub-domains and WKD has been discussed here or on
gnupg-devel recently.
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211027/7f5802d1/attachment.sig>
More information about the Gnupg-users
mailing list