Am 15. Januar 2021 01:56:04 MEZ schrieb raf via Gnupg-users 
<gnupg-users@gnupg.org>:
>But of course, you're not asking for that. You're just
>asking for something to work. There must be other ways.
>Accepting invalid certificates might just have been my
>first thought at how to deal with this. But that would
>enable the advanced method to work (in situations where
>it shouldn't). If I remember correctly (possibly not),
>you wanted the direct method to work, and github.io's
>mis-configuration of certificates caused the advanced
>method to be attempted and fail, before the direct
>method could even be attempted.

I'll try to complete your summary. The DNS wildcard entry for 
*.example.github.io leads to the advanced method being tried. We can't change 
that entry, and therefore with the current protocol draft, it makes no sense 
forcefully wanting to use the direct method. 

It's easy to set up the advanced method there. But GitHub uses an invalid TLS 
certificate for openpgpkey.example.github.io. That's what needs fixing and it 
is also out of our control.

So basically Stefan's request is to change the protocol to work around a 
misconfiguration because both DNS and the TLS certificate are controlled by a 
company that offers the service totally unrelated to WKD. Such a workaround 
could hurt the ecosystem because it may hide a misconfiguration in setups where 
the operator does have control over these things and just needs to notice. 

>OK. I just had a look at https://wiki.gnupg.org/WKD and
>it doesn't refer to "advanced" or "direct" methods. It
>seems to consider the "direct" method as the main
>method, and the "advanced" method as a "Stopgap method"
>which is "Not recommended - but a temporary
>workaround". So having an additional mechanism to
>disable the "advanced" method sounds reasonable. Or
>maybe the wiki page needs to be updated(?).

Sorry, you just misread that part. The stopgap solution is to use a server 
operated by openpgp.org instead of your own web server. For that to work, you 
must set up the advanced method for WKD on your domain's DNS. That method is 
perfectly fine and in some scenarios even easier to use.

Kind regards
André

Hi raf,

thanks for your perspective on the matter.

--
Greetings...
From: André Colomb <an...@colomb.de>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to