On Wed, Jan 13, 2021 at 7:26 PM André Colomb <an...@colomb.de> wrote: > > On 13/01/2021 17.56, Stefan Claas wrote: > >> What are droplets? For which domain did you generate a wildcard > >> certificate? What are the DNS settings on that domain? I could take a > >> look at what responses are returned from the real domain, but need some > >> information at least which OpenPGP user ID should be fetchable over WKD > >> from that domain. If you're even interested in learning about how to > >> set up WKD properly. > > > > Digital Ocean calls their VPS servers droplets and If I would set them up > > as a test rig, I would use three, like '300baud.de', 'foo.300baud.de' > > and 'bar.300baud.de'. In 300baud.de I would set up the WKD directory and > > the SSL cert, with an entry for wildcard subdomains which would cover then > > hosts foo and bar. In the WKD directory I would put then a couple of keys > > with > > proper sample email addresses from all three hosts. > > That's a lot of "ifs". Right now, 300baud.de has neither A nor AAAA nor > CNAME record, so there is no server IP address to contact. Obviously > there is also no wildcard record either, as e.g. www.300baud.de does not > resolve. It's not clear to me which (sub)domain you would want to use > in a fictional OpenPGP key's user ID?
There is currently no server running under my 300baud.de domain. I had to shut them down due to recent changes in DO's TOS. > > > With this set-up, without noodling around with records settings at my domain > > service (for ease of use and managing WKD) I stronly assume that this > > set-up follows the direct method and works with sequoia-pgp properly and > > should fail currently with GnuPG and gpg4win,same as it fails with GitHub. > > It's actually pretty easy. If the openpgpkey... subdomain resolves > (explicit entry or DNS wildcard), then the advanced method is used. > Otherwise the simple method. That's the only difference, and it does > not depend on whatever your certificate contains. > > Depending on the chosen method, you need to make sure that there is a > web server answering with a *valid* TLS certificate and with the proper > expected directory structure. There is no reason at all to "strongly > assume" any malfunction or bug in GnuPG and I assure you that it's > possible to make either method work. Mmmh, probably we can discuss this *valid* until we get blue in the face ... > > The only difference for Sequoia is that it ignores your expressed intent > to use the advanced method if something is misconfigured, and falls back > to the simple method. GnuPG does not do that, because it correctly > follows the specification word by word. Which would make sense to me and thankfully sequoia-pgp does this. > > IIRC the (old) WKD specs did not mention nor did they said that it was > > required > > to noodle around witth domain settings, regarding the openpgpkey folder when > > setting up records for hosts with a domain service provider. > > WKD is still an Internet *Draft*, so it's expected to find corner cases > like yours that are not yet 100 % unambiguous. That's what the drafting > process and public discussion is intended for. Different > interpretations should not be possible, and you found a case where > Sequoia and GnuPG really do differ. But it still does *not* say one > needs to "noodle around with domain settings". It points you to the > right spice to add just in case your domain settings are already a > noodle soup. Draft, yes I know and I desperately hope with this whole thread that Werner and most important OpenPGP users and organizations around the globe think about this, because it could have IMHO a *major* impact for OpenPGP key distribution, when it comes to easy set-up and maintaining themselve a WKD service while not relying on third parties, like Hagrid or later the hockeypuck Network, for whatever reasons people may have. sequoia did the right step and I hope for people relying on GnuPG that it is possible for them in the future too. Best regards Stefan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
