Re: CNAME aliases for wkd.keys.openpgp.org and X.509 certificates [was: Re: WKD for GitHub pages]
> Now I'm a bit confused :O > I thought WKD can be used with your own webserver. So why do I have to > make a CNAME recort pointing to "wkd.keys.openpgp.org"? > > Or did I understand anything wrong? Sorry, that was confusing without context. Yes, WKD is bound to the domain of the email address, and as such it will typically be hosted together with the email server itself, or at least by the same entity. Using the advanced WKD method, it's possible to "outsource" hosting using a CNAME, and keys.o.o will do the rest: https://keys.openpgp.org/about/usage#wkd-as-a-service But this is only a shortcut for convenience. WKD works best when it is run decentralized by the email hosters themselves. - V ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: CNAME aliases for wkd.keys.openpgp.org and X.509 certificates [was: Re: WKD for GitHub pages]
On Sat, Jan 16, 2021 at 12:55 PM Stefan Claas wrote: > > On Sat, Jan 16, 2021 at 12:52 PM Stefan Claas > wrote: > > > > On Sat, Jan 16, 2021 at 10:32 AM Juergen Bruckner via Gnupg-users > > wrote: > > > > > > Hello Group! > > > > > BTW ... do any of you know a tutorial to set up WKD for 'Dummies'? > > > > Hi Juergen, > > > > me as a Windows DAU (Dümmster Anzunehmnder User) used the direct-method: > > [EDIT] > > > Create in your web server's root directory the following: > > a directory '.well-known' and in that > > a folder named 'openpgpkey' put in that folder another folder named: 'hu'. [EDITT #2] With root directory I mean where you have stored your html content which shows up when someone is visiting your site. Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: CNAME aliases for wkd.keys.openpgp.org and X.509 certificates [was: Re: WKD for GitHub pages]
On Sat, Jan 16, 2021 at 12:52 PM Stefan Claas wrote: > > On Sat, Jan 16, 2021 at 10:32 AM Juergen Bruckner via Gnupg-users > wrote: > > > > Hello Group! > > > BTW ... do any of you know a tutorial to set up WKD for 'Dummies'? > > Hi Juergen, > > me as a Windows DAU (Dümmster Anzunehmnder User) used the direct-method: [EDIT] > Create in your web server's root directory the following: > a directory '.well-known' and in that > a folder named 'openpgpkey' put in that folder another folder named: 'hu'. Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: CNAME aliases for wkd.keys.openpgp.org and X.509 certificates [was: Re: WKD for GitHub pages]
On Sat, Jan 16, 2021 at 10:32 AM Juergen Bruckner via Gnupg-users wrote: > > Hello Group! > BTW ... do any of you know a tutorial to set up WKD for 'Dummies'? Hi Juergen, me as a Windows DAU (Dümmster Anzunehmnder User) used the direct-method: Create in your web server's root directory the following: a folder named 'openpgpkey' put in that folder another folder named: 'hu'. in the openpgpkey folder put a policy file, named 'policy' it can be empty. in the hu folder put the binary blob of your pub key(s) to create the proper pub key do the following: gpg --list-keys --with-wkd-hash it will show you your pub keys data with an additional hash in order to export your pub key do the following: gpg --export your_pubkey >hash_as_filename put that binary blob of your pub key in your hu folder so that the filename shows the hash, without the @email part. then use Wiktor's WKD checker to check your result. If everything went well you can try to fetch your pub key with gpg --locate-keys juergen@email.address Hope this helps and please report back your results. Best regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: CNAME aliases for wkd.keys.openpgp.org and X.509 certificates [was: Re: WKD for GitHub pages]
Hello Group! Am 16.01.21 um 03:26 schrieb Vincent Breitmoser via Gnupg-users: Daniel Kahn Gillmor via Gnupg-users wrote: On Mon 2021-01-11 22:59:10 +0100, Ángel wrote: The "make a CNAME of your openpgpkeys subdomain to wkd.keys.openpgp.org" couldn't work with https certificate validation, thouth (or are they requesting a certificate on-the-fly?) In fact, i believe that keys.openpgp.org *is* requesting and retaining a certificate on-the-fly if it finds itself addressed by such a CNAME. Yep. If that wasn't possible, we wouldn't do it. btw, if anyone is interested: keys.o.o serves wkd for 224 domains right now. - V Now I'm a bit confused :O I thought WKD can be used with your own webserver. So why do I have to make a CNAME recort pointing to "wkd.keys.openpgp.org"? Or did I understand anything wrong? BTW ... do any of you know a tutorial to set up WKD for 'Dummies'? best regards Juergen -- /¯\ No | \ / HTML |Juergen Bruckner Xin |juergen@bruckner.email / \ Mail | smime.p7s Description: S/MIME Cryptographic Signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: CNAME aliases for wkd.keys.openpgp.org and X.509 certificates [was: Re: WKD for GitHub pages]
Daniel Kahn Gillmor via Gnupg-users wrote: > On Mon 2021-01-11 22:59:10 +0100, Ángel wrote: > > The "make a CNAME of your openpgpkeys subdomain to > > wkd.keys.openpgp.org" couldn't work with https certificate validation, > > thouth (or are they requesting a certificate on-the-fly?) > > In fact, i believe that keys.openpgp.org *is* requesting and retaining a > certificate on-the-fly if it finds itself addressed by such a CNAME. Yep. If that wasn't possible, we wouldn't do it. btw, if anyone is interested: keys.o.o serves wkd for 224 domains right now. - V ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users