On Tue, Jan 12, 2021 at 5:36 PM Ingo Klöcker <kloec...@kde.org> wrote: > > On Dienstag, 12. Januar 2021 12:47:59 CET Stefan Claas via Gnupg-users wrote: > > On Tue, Jan 12, 2021 at 12:43 PM Andrew Gallagher <andr...@andrewg.com> > wrote: > > > Yes, WKD is great. But as André has explained, there is an overhead cost > > > (to everyone) for trying the direct method first, so inverting this to > > > work around the side effects of an experiment that's tied to one > > > particular vendor's service is a *huge* ask. > > > > Well, I am not sure about the details for a server or a user when it comes > > to overhead and if you mean with one particular vendow GitHub, well > > that may be the beginning, for such request. But like I mentioned if people > > would wish to manage key distribution themselves, without using third > > parties, like Hagrid or hokeypuck or even running such software and > > servers I strongly believe that WKD could be an excellent choice, if > > this would be fixed. > > Why do you think anything needs to be changed in gpg? The problem isn't the > implementation of WKD in gpg. The problem is that GitHub serves sub-sub- > subdomains like openpgpkey.sac001.github.io with an invalid TLS certificate. > > It's not only gpg that complains. > > === > $ curl https://openpgpkey.sac001.github.io > curl: (60) SSL: no alternative certificate subject name matches target host > name 'openpgpkey.sac001.github.io' > More details here: https://curl.se/docs/sslcerts.html > > curl failed to verify the legitimacy of the server and therefore could not > establish a secure connection to it. To learn more about this situation and > how to fix it, please visit the web page mentioned above. > === > > It's easy for people to manage key distribution themselves with WKD. All they > have to do is setup WKD with or without openpgpkey subdomain with valid (!!!) > TLS certificates.
Hello Ingo, please ... openpgpkey is *not* a part of a real (sub)domain, which a user of any domain service has to define in a record. Please accept also that a modern OpenPGP software like sequoia-pgp can handle this *adequately* with the direct method first! Additionally I have received from GitHub a very nice reply, which I and I guess all will accept here! Quote: "... however I don't believe GitHub is in a position to try and persuade a software author to change or fix their software." So the last thing besides here discussing the issue with the community is to file a bug report at: https://dev.gnupg.org/ At least the global OpenPGP community is now aware of my proposal and I repeat here once again: GitHub (which I am not affiliated with in any form) has a *proper* SSL cert and github.io pages are properly working subdomain sites, wiich GnuPG's and gpg4win's WKD implementation can not handle, while modern OpenPGP implementations like sequoia-pgp can handle this. BTW. I am also not affiliated in any form with sequoia or the pep foundation etc. Best regards Stefan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users