Error when trying to locate key via WKD

Christoph Klassen christoph-klassen at
Thu Oct 28 09:32:55 CEST 2021

On 27.10.21 22:54, Ingo Klöcker wrote:
> [Putting this back on the mailing list. Please keep replies on the list.]
> On Mittwoch, 27. Oktober 2021 21:20:03 CEST Christoph Klassen wrote:
>> On 27.10.21 20:54, Ingo Klöcker wrote:
>>> The important part is
>>> 2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> GET
>>> /.well-known/openpgpkey/
>>> istoph-klassen HTTP/1.0\r\n i.e. in the URL that dirmngr requests there is
>>> an additional "" between "/openpgp/" and "/hu/" that is missing in
>>> your URL.
>> That would be the advanced method of WKD (Here's the draft:
>> which indeed doesn't work with my mail provider. But when I try the
>> direct method (Example from the draft:
>> hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe) I can get the key from my
>> provider's WKD server. I admit I forgot the parameter in the URL I post.
>> But that wasn't the point. My problem is that GnuGP couldn't get the key
>> via WKD and I don't understand why because it seems like it should work.
> The problem is that the domain exists (or seems to exist)
> although doesn't support the advanced method. The draft you mentioned
> says:
>     There are two variants on how to form the request URI: The advanced
>     and the direct method.  Implementations MUST first try the advanced
>     method.  Only if the required sub-domain does not exist, they SHOULD
>     fall back to the direct method.
>     The advanced method requires that a sub-domain with the fixed name
>     "openpgpkey" is created and queried.
> Because the sub-domain exists (or rather, seems to exist),
> gpg first tries the advanced method. This fails. gpg doesn't fall back to the
> direct method as per the spec: "Only if the required sub-domain does not
> exist, they SHOULD fall back to the direct method."
> The problem is that redirects any sub-domain to, e.g.
> `curl` is also redirected to ``. The
> problem with wildcard sub-domains and WKD has been discussed here or on
> gnupg-devel recently.

Thank you for your explanation, Ingo! Now I understand what you meant. 
It's a pity that GPG doesn't fall back to the direct method.



More information about the Gnupg-users mailing list