On 2021-01-09 at 23:40 +0100, Stefan Claas via Gnupg-users wrote: > Well, I wish Werner would chime in, because what I really don't > understand why do we have two options, instead of one and why is the > advanced method the first one to be checked, if we have as first one > the direct method, which would tell me, as laymen, that a software > would start first with the 'easier' method.
The way it is defined, it makes complete sense. The advanced method allows a finer control. For example, you could have your web page in one hosting (such as a CDN you may not trust too much) and your pgp keys in a different host that you could consider more trustworthy. The terms easy and advanced refers to the difficulty of setting it up. Normally, creating a subdomain would be more complex (you need to create a second dns record, perhaps also create a new VirtualHost…). It is more powerful, but it's less accessible. You need to check the first, since the bare domain is pretty much guaranteed to exist, even without relation to openpgp keys. Plus, with the above, your lack of trust could be e.g. that you don't want them -for privacy reasons- to know which keys are being fetched. Using a separated host that is tried first solves it. > Fact for me is, I do have a site, which users shows a valid SSL cert > and sequoia-pgp honors this, while GnuPG and gpg4win do not honor > this and give a cert error for IMHO a second option GnuPG and gpg4win > offers. sequoia is in the wrong here. You don't have a valid SSL cert for openpgpkey.sac001.github.io Either they are not supporting the advanced method (maybe they follow an older draft?) or they ignore the certificate failure (which would be quite bad). The issue here is why github is publishing subdomains that nobody can use, anyway. This would usually be harder (why create a openpgp subdomain if you don't want it?), but GitHub configuration is already sufficiently advanced that it breaks this (it was simpler for them to configure their nameservers to also return that for subdomains?). Regards _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
