[Putting this back on the mailing list. Please keep replies on the list.] On Mittwoch, 27. Oktober 2021 21:20:03 CEST Christoph Klassen wrote: > On 27.10.21 20:54, Ingo Klöcker wrote: > > The important part is > > 2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> GET > > /.well-known/openpgpkey/mail.de/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6?l=chr > > istoph-klassen HTTP/1.0\r\n i.e. in the URL that dirmngr requests there is > > an additional "mail.de" between "/openpgp/" and "/hu/" that is missing in > > your URL. > > That would be the advanced method of WKD (Here's the draft: > https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/), > which indeed doesn't work with my mail provider. But when I try the > direct method (Example from the draft: > https://example.org/.well-known/openpgpkey/ > hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe) I can get the key from my > provider's WKD server. I admit I forgot the parameter in the URL I post. > > But that wasn't the point. My problem is that GnuGP couldn't get the key > via WKD and I don't understand why because it seems like it should work.
The problem is that the domain openpgpkey.mail.de exists (or seems to exist) although mail.de doesn't support the advanced method. The draft you mentioned says: There are two variants on how to form the request URI: The advanced and the direct method. Implementations MUST first try the advanced method. Only if the required sub-domain does not exist, they SHOULD fall back to the direct method. The advanced method requires that a sub-domain with the fixed name "openpgpkey" is created and queried. Because the sub-domain openpgpkey.mail.de exists (or rather, seems to exist), gpg first tries the advanced method. This fails. gpg doesn't fall back to the direct method as per the spec: "Only if the required sub-domain does not exist, they SHOULD fall back to the direct method." The problem is that mail.de redirects any sub-domain to mail.de, e.g. `curl https://foobar.mail.de` is also redirected to `https://mail.de`. The problem with wildcard sub-domains and WKD has been discussed here or on gnupg-devel recently. Regards, Ingo
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users