On 12/01/2021 09.25, Stefan Claas via Gnupg-users wrote: > It would be nice to know why the advanced method was added. In case > the direct method would not be sufficent or would have security issues > I would think that than one replaces the direct method with advanced > one and then we only need only one method, in order that this works.
A domain is not automatically tied to a webserver. It might so far only be used for e-mail and just to set up WKD, one might not want to run a webserver under the second-level domain itself. Therefore the standardized "openpgpkey" subdomain, which can easily point to a different IP. That makes it easy to completely separate the infrastructure needed for WKD from anything else, like a webserver for a web page, webmail or other services. In addition, that separate server might serve WKD keys for a bunch of different domains through redirects, hence it makes sense to separate the URLs per domain. It just gives the admin additional flexibility by not forcing them to make a certain URL under the main domain work. > And if we must have two methods, why is the order not, like one would > think: check direct first and if this does not work check advanced? > I must admit I do not understand the programming logic. That's easy: If openpgpkey.example.org exists, we can be certain that example.org exists as well. So the check for the openpgpkey subdomain must come first if its mere existence decides which method is tried. Otherwise you would get HTTPS connections for every WKD request on the example.org server, which fail if the direct method is not supported. Just to make another HTTPS connection to openpgpkey.example.org to try the advanced method next. That's a lot of overhead on both the client and server side, compared to the two DNS queries you need to make either way. Hope that helps. André -- Greetings... From: André Colomb <an...@colomb.de>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users