Re: Error when trying to locate key via WKD

Thu, 28 Oct 2021 00:35:20 -0700 

On 27.10.21 22:54, Ingo Klöcker wrote:

[Putting this back on the mailing list. Please keep replies on the list.]

On Mittwoch, 27. Oktober 2021 21:20:03 CEST Christoph Klassen wrote:

On 27.10.21 20:54, Ingo Klöcker wrote:

The important part is
2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> GET
/.well-known/openpgpkey/mail.de/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6?l=chr
istoph-klassen HTTP/1.0\r\n i.e. in the URL that dirmngr requests there is
an additional "mail.de" between "/openpgp/" and "/hu/" that is missing in
your URL.

That would be the advanced method of WKD (Here's the draft:
https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/),
which indeed doesn't work with my mail provider. But when I try the
direct method (Example from the draft:
https://example.org/.well-known/openpgpkey/
hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe) I can get the key from my
provider's WKD server. I admit I forgot the parameter in the URL I post.

But that wasn't the point. My problem is that GnuGP couldn't get the key
via WKD and I don't understand why because it seems like it should work.

The problem is that the domain openpgpkey.mail.de exists (or seems to exist)
although mail.de doesn't support the advanced method. The draft you mentioned
says:

    There are two variants on how to form the request URI: The advanced
    and the direct method.  Implementations MUST first try the advanced
    method.  Only if the required sub-domain does not exist, they SHOULD
    fall back to the direct method.

    The advanced method requires that a sub-domain with the fixed name
    "openpgpkey" is created and queried.

Because the sub-domain openpgpkey.mail.de exists (or rather, seems to exist),
gpg first tries the advanced method. This fails. gpg doesn't fall back to the
direct method as per the spec: "Only if the required sub-domain does not
exist, they SHOULD fall back to the direct method."

The problem is that mail.de redirects any sub-domain to mail.de, e.g.
`curl https://foobar.mail.de` is also redirected to `https://mail.de`. The
problem with wildcard sub-domains and WKD has been discussed here or on
gnupg-devel recently.
Thank you for your explanation, Ingo! Now I understand what you meant. It's a pity that GPG doesn't fall back to the direct method. 


Regards,

Christoph



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to