WKD proper behavior on fetch error

Stefan Claas spam.trap.mailing.lists at gmail.com
Fri Jan 15 20:34:21 CET 2021


On Fri, Jan 15, 2021 at 7:39 PM Ángel <angel at pgp.16bits.net> wrote:
>
> On 2021-01-15 at 07:56 +0100, Stefan Claas via Gnupg-users wrote:
> > Don't you think when GitHub, a major player, would have an invalid
> > SSL cert, that maybe one of the millions programmers there would not
> > have contacted GitHub, like I did, and say hey GithHub you serve
> > the global community and visitors an invalid SSL certificate? I must
> > admit that I also do not understand what you mean with sus-sub
> > domains. My GitHub page is sac001.github.io and not foo.bar.github.io
> > or whatever.
>
> By sub-sub-domains we are all talking about pages such as
> https://openpgpkey.sac001.github.io or https://helloworld.sac001.github.io
>
> Go there, click those links. You will see that -*after forcing your browser
> to ignore the invalid certificate*- there is a web page there returning
> a message of "Site not found", "404 There isn't a GitHub Pages site
> here".
>
> *I* don't know why they have such domains resolving. It may have been
> simpler to configure the dns server that way, or perhaps they just
> missed it. The funny think is, I don't think there's a way to create a
> page in helloworld.sac001.github.io or openpgpkey.sac001.github.io, so
> these sites are mostly useless (if not directly problematic such as in
> WKD case), and I guess that's why noone really bothered about the
> invalid certificate for them (which isn't easy to solve, either).
>
> I don't know what process you used to contact GitHub support, but the
> question to ask would be precisely this:
> > Why is there something on https://openpgpkey.sac001.github.io ? How
> > can I modify it? If there is not, could you make it not to resolve?
>
>
>
> The reasons why it is picked has been, I think, explained already many
> times in this thread.

In this whole thread here there have been made a lot arguments from all
involved people, which is of course good!

Non technically spoken (let us forget for a moment DNS, SSL, wildcards etc.)

If you or someone else set's up a web server, for a big organisation or for
yourself, you simple put in the .well-known folder some content which would look
most likely then like this:

http://domain.tld/.well-known/etc... or maybe
https://sub.domain.tld/.well-known/etc...

If someone writes now a program which needs to access content in the
well-known folder, why does a software author needs to implement two methods to
access the well-known folder? This part for example I do not understand,
because if one method is not good or secure enough I would simply drop
one method an implement only the more secure and more reliable one, or not?

The situation we now have is that we have two popular OpenPGP apps
which handle the access to the well-known openpgp directory differently,
which nobody can deny.

Let's assume the following GitHub and Werner would have a meeting
and they would find no consensus. I for example can say I don't care
about a draft and happily promote sequoia-pgp usage over GnuPG
usage, in case OpenPGP users would like to use GitHub and WKD
for a multi-purpose OpenPGP too. That would Werner and a couple
of other probably pi*#-off very much but I do not have done something
wrong and people are allowed to do the same.

So in the end I personally think that It can't be wrong if Werner would
discuss this and would act accordingly in a way that we all have
a clear overview of his WKD project. I for example have found a WKD
Golang library which, when noodling a bit around, I can customize to
my hearts content for other crypto apps and then can present a WKD
solution, based on the direct method for other non-OpenPGP software.

Since this is all OpenSource and no commercial licensed software
people have many options without following a draft ...

My intention was only to promote WKD OpenPGP usage for github.io
pages in case people like the idea.

How did I contacted GitHub? I simply used their contact form
filled in my request and received then a support ticket and
at the end I was asked to fill out a customer survey, e.g quality
etc. of the support I received. That is common with almost all
U.S. based companies.

Best regards
Stefan



More information about the Gnupg-users mailing list