<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">Am 02.12.22 um 14:59 schrieb Werner
Koch:<br>
</div>
<blockquote type="cite"
cite="mid:87pmd1ewk6.fsf@wheatstone.g10code.de">
<pre class="moz-quote-pre" wrap="">On Thu, 1 Dec 2022 14:45, Andreas Heinlein said:
</pre>
<blockquote type="cite" style="color: #007cff;">
<pre class="moz-quote-pre" wrap="">1. If I follow the guidelines for creating the directory
/var/lib/gnupg/wkd, it has ownership webkey:webkey and permissions
2750. So there ist no chance for the apache user to be able to read
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">That does not look right. You should have o+rx for the directories and
o+r for the files.</pre>
</blockquote>
If I do that, I get:<br>
gpg-wks-server: directory '/var/lib/gnupg/wks' has too relaxed
permissions <br>
gpg-wks-server: Fix by running: chmod o-rw '/var/lib/gnupg/wks'<br>
<br>
This is gpg-wks-server version 2.2.27, as packaged with Debian 11.
If this is a (known) bug, I may try to get it fixed.<br>
<blockquote type="cite"
cite="mid:87pmd1ewk6.fsf@wheatstone.g10code.de">
<pre class="moz-quote-pre" wrap="">
</pre>
<blockquote type="cite" style="color: #007cff;">
<pre class="moz-quote-pre" wrap="">suggested and I am submitting the key encrypted and signed with the
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">You should not sign the message.
The key to be published MUST be submitted using a PGP/MIME encrypted
message ({{{RFC(3156)}}}, section 4). The message MUST NOT be signed
(because the authenticity of the signing key has not yet been
confirmed).
I would also strongly suggest to use gpg-wks-client.</pre>
</blockquote>
Thanks, I overlooked that. I find it a little difficult to instruct
normal users to configure their client to sign mails, but make an
exception when submitting their mail to the wks.<br>
<br>
I cannot use gpg-wks-client here - our folks are using thunderbird.
This is a known missing feature in thunderbird, WKS client support
got lost when moving from Enigmail to their own implementation. See
here:<br>
<a class="moz-txt-link-freetext" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1695048">https://bugzilla.mozilla.org/show_bug.cgi?id=1695048</a><br>
<br>
For the moment it would be nice if we could "stretch" the RFC a
little and just ignore any signatures. Any way to achieve that, or
would it be necessary to patch the wks server?<br>
<blockquote type="cite"
cite="mid:87pmd1ewk6.fsf@wheatstone.g10code.de">
<pre class="moz-quote-pre" wrap="">
</pre>
<blockquote type="cite" style="color: #007cff;">
<pre class="moz-quote-pre" wrap="">gpg-wks-server: gpg: armor header: Version: GnuPG v1.4.11 (GNU/Linux)
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">GnuPG 1.4 - really? Don't do this. And in particialr not a 12 year old
version.</pre>
</blockquote>
Yeah, I know. This was from an old testing machine, I wouldn't do
that in real life ;-)<br>
<blockquote type="cite"
cite="mid:87pmd1ewk6.fsf@wheatstone.g10code.de">
<pre class="moz-quote-pre" wrap="">
</pre>
<blockquote type="cite" style="color: #007cff;">
<pre class="moz-quote-pre" wrap="">3. What is the behaviour when the WKS server receives a key for an
address for which it already has a (different) key? Will it replace
the old key, will it refuse or ignore the new one?
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">The old key will be replaced after the confirmation has been received.</pre>
</blockquote>
That's what I expected.<br>
<br>
Thank you,<br>
Andreas<br>
</body>
</html>