WKD: returns only one pubkey (and why)

Dashamir Hoxha dashohoxha at gmail.com
Tue Dec 13 22:32:59 CET 2022


On Tue, Dec 13, 2022 at 1:59 PM Simon Josefsson via Gnupg-devel <
gnupg-devel at gnupg.org> wrote:

>
>   1) Use WDK to map ONE email address to ONE public key to use for
>   email.
>
>   2) Use WDK to find ALL public keys for an email address.
>

The second case, as you describe it, seems to be orthogonal to the first
one, in the sense that they are independent of each-other. So, it can be
implemented as a separate protocol. But probably it makes more sense to
implement it as an extension of the current WKD protocol.

specifying that a plural-version of the URL returns all keys?  So let's
> assume we have this URL to return one public key only:
>
>
> https://intevation.de/.well-known/openpgpkey/hu/it5sewh54rxz33fwmr8u6dy4bbz8itz4
>
> Then we could standardize the following (note plural 's') to return ALL
> keys for the given email address:
>
>
> https://intevation.de/.well-known/openpgpkeys/hu/it5sewh54rxz33fwmr8u6dy4bbz8itz4
>
> Alternatively, we could use URL parameters on the first URL like this:
>
>
> https://intevation.de/.well-known/openpgpkey/hu/it5sewh54rxz33fwmr8u6dy4bbz8itz4?allkeys
>
> Or perhaps a compromise -- based on the observation that registering
> multiple 'well-known' protocols has a cost, and that URL parameters like
> '?allkeys' works badly with HTTPS servers serving static content, how
> about a URL like this:
>
>
> https://intevation.de/.well-known/openpgpkey/allkeys/hu/it5sewh54rxz33fwmr8u6dy4bbz8itz4


Does it make sense to look for a public key by its id? I mean something
like this:

https://intevation.de/.well-known/openpgpkey/id/847FC5C4337D9CDBD473B7A60967FD258D6414F9

There are two differences with the current well-known url:
1. Instead of "/hu/" (which means hashed-userid), there is "/id/" (which
means the key id).
2. Instead of "it5sewh54rxz33fwmr8u6dy4bbz8itz4" which is the hash of
"alice" (in case that the userid is "alice at intevation.de"), there is
"847FC5C4337D9CDBD473B7A60967FD258D6414F9" which is the id of the key.

In this case a client can easily ask for the public key that is needed to
verify a certain signature.
However I am not sure, can we find out the userids of the key that is used
to sign? If not, then we cannot infer the domain of the well-known url.

In this case we might need a directory service to lookup the userid(s) that
are associated with a certain key id (think of it like a phone book -- you
know the phone number and you can find the name of its owner). This
directory service might be based on blockchains, or it might be a modified
(simplified?) version of the current keyservers.

However, if we have such a directory service, then we can just list the url
where the public key is located, so maybe we don't need a "well-known url"
format.

Dashamir
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20221213/f559b228/attachment.html>


More information about the Gnupg-devel mailing list