Hi Stefan, On Fri, 08 Jan 2021 23:05:52 +0100, Stefan Claas via Gnupg-users wrote: > On Fri, Jan 8, 2021 at 10:21 PM Stefan Claas > <spam.trap.mailing.li...@gmail.com> wrote: > > > I guess the only way to fix it (for many people) would be > > that, as of my understanding (now) the WKD check > > and SSL cert check would be a bit more flexible, either > > in allowing subdomains, like the github.io ones in form > > of a fix in the code or as setting in GnuPG' config file. > > > > I could be totally wrong of course, so let's see what > > Werner says. > > Well, I guess I am right, just did a gpg --debug-level guru > under cmd.exe: > > ... > gpg: DBG: chan_0x00000254 -> WKD_GET -- ste...@sac001.github.io > gpg: DBG: chan_0x00000254 <- S SOURCE https://openpgpkey.sac001.github.io > gpg: DBG: chan_0x00000254 <- S NOTE tls_cert_error 285212985 bad cert > for 'openpgpkey.sac001.github.io': Hostname does not match the > certificate > gpg: Hinweis: Der Server benutzt eine ungültiges Zertifikat > gpg: DBG: chan_0x00000254 <- ERR 285212985 Falscher Name <TLS>
It appears that gpg is trying the advanced lookup method, gets an error, and then doesn't fallback to the direct lookup method. This is consistent with the I-D: 3.1. Key Discovery ... There are two variants on how to form the request URI: The advanced and the direct method. Implementations MUST first try the advanced method. Only if the required sub-domain does not exist, they SHOULD fall back to the direct method. https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-07 It appears that github.com's DNS is configured such that all domains under github.com resolve to github.com's web server, even subsubdomains. For instance, https://asdflkjasdfj.asdflkjasdflkj.github.com/ resolves to a 404. So, it seems that you'll need to create openpgpkey.sac001.github.com. Further, you'll have to figure out how to get a valid certificate for it. At least Firefox considers github.com's certificate to be valid for foo.github.com, but not bar.foo.github.com. :) Neal _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users