On Sat, Jan 16, 2021 at 02:20:17AM +0100, Stefan Claas <spam.trap.mailing.li...@gmail.com> wrote:
> On Sat, Jan 16, 2021 at 1:45 AM raf via Gnupg-users > <gnupg-users@gnupg.org> wrote: > > > But there is no certificate that covers that sub-sub-domain. > > That's why browsers complain if you go to > > https://openpgpkey.sac001.github.io/. > > A quick question, if you don't mind. Why do people here on this ML > insist on a sub-sub domain, named openpgpkey? Because that's how WKD is defined to work. > Have you ever maintained a web server? Yes (but that's not really relevant). > I am not using the html protokoll that much, but for me the openpgpkey > part in, the for me fictious, URL, causes this error, because GnuPG or > gpg4win is looking for this. It's not fictitious. WKD client try to resolve it (i.e. look it up via the DNS protocol), and github's DNS servers successfully return several IP addresses for it. Therefore, as far as github, the owner of the domain, is concerned, it is real and therefore not fictitious. > I ask, because for me the proper URL would be: > > https://sac001.github.io/.well-kown/openpgpkey/etc.. What you refer to as "proper" is just the direct method. That's only half of the WKD protocol. There is also the advanced method. Both methods together comprise the WKD protocol. > And therefore I see absolutely no reason why GitHub or anybody > else should change their valid SSL cert(s) or do elsewhere some > mumbo jumbo, so to speak. If their SSL cert were valid for your sub-sub-domain, there would be no reason to change, but as has been pointed out many many times, their certificate is only valid for the domains that it is valid for. It is not valid for anything else, and the domain openpgpkey.sac001.github.com is one of the domains for which github's certificate is not valid. If this seems like mumbo jumbo to you, please accept that it really isn't. It's just that you aren't familiar enough with all of the protocols involved. And if that's the case, you can't with any confidence assert that github's certificate is valid (for anything other than the domains that are bound to the certificate). > And even if people had to set-up this extra steps for the advanced > method than at least there is still some room for explaining while > then using also the direct method, or not, because of the name > 'advanced', which tells me it has higher priotity than direct. It has been explained a few times already. But if the explanations aren't making sense, perhaps you need more background information in order to understand the explanations that have been given. Perhaps you could read up on DNS and TLS and WKD. I'd recommend the O'Reilly books on Bind and OpenSSL. There are probably free online resources but those books are good. But maybe I just like books for learning big new subjects. And also the WKD draft, of course. Sorry to suggest a pile of reading material, but I can't think of a better way to learn the relevant topics. > I must say good night now. > > Best regards > Stefan cheers, raf _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
