The "advanced" URL of openpgp-webkey-service-07, and l=

justina colmena justina at colmena.biz
Tue Feb 12 21:00:17 CET 2019


On February 11, 2019 4:04:31 AM AKST, Alessandro Vesely <vesely at tana.it> wrote:
>Werner,
>
>I just saw version -07 today.  The advanced method:
>
>WELLKNOWN :=
>https://openpgpkey.example.org/.well-known/example.org/openpgpkey
>
>doesn't seem to make much sense to me.  I tried it with posteo.de, and
>got:
>
>ale at pcale:~/tmp$ dig +short openpgp.posteo.de
>89.146.220.134
>
>ale at pcale:~/tmp$ curl --head
>https://openpgp.posteo.de/.well-known/posteo.de/openpgpkey/submission-address
>curl: (51) SSL: no alternative certificate subject name matches target
>host name 'openpgp.posteo.de'
>
>The subdomain is probably a star (*) DNS record.  However, their
>certificate's Subject Alt Name doesn't have a star, but a list of
>subdomains.  Certificates cost, albeit not much, so the need to set up
>a new subdomain may hamper implementation.
>
>I'm unable to get the "flexibility in setting up the Web Key Directory
>in environments where more than one mail domain is hosted".  Say I host
>A.example and B.example.  Then I need to set up both subdomains
>openpgpkey.A.example and openpgpkey.B.example.  Internally, they can be
>redirected in a number of ways, but the server should hold the
>HTTP_HOST anyway.  To repeat tha mail domain between .well-known and
>openpgpkey doesn't seem to help much.
>
>The openpgpkey folder can be implemented by plain files named after the
>32 byte string and containing the key to be served.  The l= parameter
>would just be discarded in that case.  Otherwise, if the server side
>script is cute, should it verify whether the value of the parameter
>interpreted as a local part matches the 32 byte string?  What if they
>don't match?  To urlencode the local part might have been easier than
>Z-encoding its SHA1, but what's the point of doing both?
>
>
>Best
>Ale
>
>
>_______________________________________________
>Gnupg-users mailing list
>Gnupg-users at gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users

Certificates COST, do they?

Should a * star certificate COST so infinitely much, then?

WELLKNOWN := Check the sex offender registry list, grab a guy by short and curlies, dig in with your fingernails, and give a sharp twist to the left, or something like that.

Is that what those Russian ladies from NGINX call a "leftist" programming style?
-- 
Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no será infringido.

https://www.colmena.biz/~justina/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 683 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190212/52e253dd/attachment.sig>


More information about the Gnupg-users mailing list