[mailop] OpenPGP WKD URL

[Valtteri Vuorikoski]

On Tue, Feb 11, 2025 at 05:44:49PM +0100, Vincent Breitmoser via Gnupg-users wrote:
> > The openpgpkey prefix thingy was only introduced to work around the
> > t-online.de/Stroehr website and DNS responsibility mess.  I wished I
> > never had introduced that - in particular because t-online then never
> > introduced WKD.
> 
> Yeah. Bummer it didn't work out with them, but I wager they're not the only
> ones with this management problem. Placing content directly on the main
> domain is certainly much more difficult in terms of processes and ownership
> than adding a specialized subdomain.

100% agree with Vincent here. The prefix (or another DNS-based indirection
mechanism from the domain apex) is absolutely required to deploy this kind of
less-known feature for a mid-size or larger organization.

Getting enough buy-in to have a DNS name added to a domain representing the
company brand is often hard enough. Getting changes to the corporate site or
company's primary service site is often close enough to impossible: whatever
HTTP service lives at the apex will often by operated by consultants operating
an outsourced CMS fronted by an outsourced cache farm fronted by an outsourced
WAF, which will nowadays often block anything that looks like "automated"
access. All of this will be zealously guarded by extremely risk-averse PR and
IT/security departments.

I have plenty of stories about getting a single, static, business-critical file
deployed to the apex site of a large corporation. Without going into detail, you
can often expect a multi-week if not multi-month effort involving upper management
for that single file.

 -Valtteri