On Fri, Jan 15, 2021 at 7:39 PM Ángel <an...@pgp.16bits.net> wrote: > > On 2021-01-15 at 07:56 +0100, Stefan Claas via Gnupg-users wrote: > > Don't you think when GitHub, a major player, would have an invalid > > SSL cert, that maybe one of the millions programmers there would not > > have contacted GitHub, like I did, and say hey GithHub you serve > > the global community and visitors an invalid SSL certificate? I must > > admit that I also do not understand what you mean with sus-sub > > domains. My GitHub page is sac001.github.io and not foo.bar.github.io > > or whatever. > > By sub-sub-domains we are all talking about pages such as > https://openpgpkey.sac001.github.io or https://helloworld.sac001.github.io > > Go there, click those links. You will see that -*after forcing your browser > to ignore the invalid certificate*- there is a web page there returning > a message of "Site not found", "404 There isn't a GitHub Pages site > here". > > *I* don't know why they have such domains resolving. It may have been > simpler to configure the dns server that way, or perhaps they just > missed it. The funny think is, I don't think there's a way to create a > page in helloworld.sac001.github.io or openpgpkey.sac001.github.io, so > these sites are mostly useless (if not directly problematic such as in > WKD case), and I guess that's why noone really bothered about the > invalid certificate for them (which isn't easy to solve, either). > > I don't know what process you used to contact GitHub support, but the > question to ask would be precisely this: > > Why is there something on https://openpgpkey.sac001.github.io ? How > > can I modify it? If there is not, could you make it not to resolve? > > > > The reasons why it is picked has been, I think, explained already many > times in this thread.
In this whole thread here there have been made a lot arguments from all involved people, which is of course good! Non technically spoken (let us forget for a moment DNS, SSL, wildcards etc.) If you or someone else set's up a web server, for a big organisation or for yourself, you simple put in the .well-known folder some content which would look most likely then like this: http://domain.tld/.well-known/etc... or maybe https://sub.domain.tld/.well-known/etc... If someone writes now a program which needs to access content in the well-known folder, why does a software author needs to implement two methods to access the well-known folder? This part for example I do not understand, because if one method is not good or secure enough I would simply drop one method an implement only the more secure and more reliable one, or not? The situation we now have is that we have two popular OpenPGP apps which handle the access to the well-known openpgp directory differently, which nobody can deny. Let's assume the following GitHub and Werner would have a meeting and they would find no consensus. I for example can say I don't care about a draft and happily promote sequoia-pgp usage over GnuPG usage, in case OpenPGP users would like to use GitHub and WKD for a multi-purpose OpenPGP too. That would Werner and a couple of other probably pi*#-off very much but I do not have done something wrong and people are allowed to do the same. So in the end I personally think that It can't be wrong if Werner would discuss this and would act accordingly in a way that we all have a clear overview of his WKD project. I for example have found a WKD Golang library which, when noodling a bit around, I can customize to my hearts content for other crypto apps and then can present a WKD solution, based on the direct method for other non-OpenPGP software. Since this is all OpenSource and no commercial licensed software people have many options without following a draft ... My intention was only to promote WKD OpenPGP usage for github.io pages in case people like the idea. How did I contacted GitHub? I simply used their contact form filled in my request and received then a support ticket and at the end I was asked to fill out a customer survey, e.g quality etc. of the support I received. That is common with almost all U.S. based companies. Best regards Stefan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
