WKD & redirects: draft-koch-openpgp-webkey-service vs GnuPG

[Werner Koch]

On Fri, 21 Oct 2022 22:58, Robin H. Johnson said:
> gpg 2.3.8...
>
> Over at Gentoo we got this bug filed about the WKD setup:
> https://bugs.gentoo.org/877791
>
> $ gpg -v --auto-key-locate wkd --locate-external-keys infrastructure at gentoo.org
> gpg: WARNING: unacceptable HTTP redirect from server was cleaned up
> gpg: (further info: changed from
> 'https://gentoo.org/.well-known/openpgpkey/hu/gzhmqtt9d5d1y1bw4ufs47npj5wn8pyx?l=infrastructure'
> to
> 'https://www.gentoo.org/.well-known/openpgpkey/hu/gzhmqtt9d5d1y1bw4ufs47npj5wn8pyx?l=infrastructure')
>
> We have a tiny anycast service at the Apex https://gentoo.org/ that
> redirects *everything* to www.gentoo.org; no exceptions possible.

Which is quite common.  Does this

--8<---------------cut here---------------start------------->8---
diff --git a/dirmngr/http.c b/dirmngr/http.c
index 20f71f61b..f11e7765b 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -3619,6 +3619,7 @@ same_host_p (parsed_uri_t a, parsed_uri_t b)
   };
   static const char *subdomains[] =
     {
+      "www.",
       "openpgpkey."
     };
   int i;
--8<---------------cut here---------------end--------------->8---

untested patch help to silence the warning?

> Otherwise, if Redirects aren't forbidden, I feel the warning should be removed
> for this case (and a note about how they are accepted should be added to the

Yep.  However, I don't think this si something which needs
specification.  Implementaions are free to handle this on their own.


Shalom-Salam,

   Werner

--
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20221024/b1f0e779/attachment.sig>