Error when trying to locate key via WKD
Christoph Klassen
christoph-klassen at mail.de
Thu Oct 28 09:32:55 CEST 2021
On 27.10.21 22:54, Ingo Klöcker wrote:
> [Putting this back on the mailing list. Please keep replies on the list.]
>
> On Mittwoch, 27. Oktober 2021 21:20:03 CEST Christoph Klassen wrote:
>> On 27.10.21 20:54, Ingo Klöcker wrote:
>>> The important part is
>>> 2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> GET
>>> /.well-known/openpgpkey/mail.de/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6?l=chr
>>> istoph-klassen HTTP/1.0\r\n i.e. in the URL that dirmngr requests there is
>>> an additional "mail.de" between "/openpgp/" and "/hu/" that is missing in
>>> your URL.
>> That would be the advanced method of WKD (Here's the draft:
>> https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/),
>> which indeed doesn't work with my mail provider. But when I try the
>> direct method (Example from the draft:
>> https://example.org/.well-known/openpgpkey/
>> hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe) I can get the key from my
>> provider's WKD server. I admit I forgot the parameter in the URL I post.
>>
>> But that wasn't the point. My problem is that GnuGP couldn't get the key
>> via WKD and I don't understand why because it seems like it should work.
> The problem is that the domain openpgpkey.mail.de exists (or seems to exist)
> although mail.de doesn't support the advanced method. The draft you mentioned
> says:
>
> There are two variants on how to form the request URI: The advanced
> and the direct method. Implementations MUST first try the advanced
> method. Only if the required sub-domain does not exist, they SHOULD
> fall back to the direct method.
>
> The advanced method requires that a sub-domain with the fixed name
> "openpgpkey" is created and queried.
>
> Because the sub-domain openpgpkey.mail.de exists (or rather, seems to exist),
> gpg first tries the advanced method. This fails. gpg doesn't fall back to the
> direct method as per the spec: "Only if the required sub-domain does not
> exist, they SHOULD fall back to the direct method."
>
> The problem is that mail.de redirects any sub-domain to mail.de, e.g.
> `curl https://foobar.mail.de` is also redirected to `https://mail.de`. The
> problem with wildcard sub-domains and WKD has been discussed here or on
> gnupg-devel recently.
Thank you for your explanation, Ingo! Now I understand what you meant.
It's a pity that GPG doesn't fall back to the direct method.
Regards,
Christoph
More information about the Gnupg-users
mailing list