It would be nice to know why the advanced method was added.
To give more flexibility for people setting up a WKD for more than one domain.
Let’s say that I manage example.org and example.net, and I want to serve keys for addresses in both domains. With the “direct” method, I need to set up two distinct WKD servers, one for each domain. With the “advanced” method, I can set up a single server and make openpgpkey.example.org and openpgpkey.example.net point to that single server.
(SRV records would be the modern and proper way to provide such a level of indirection, instead of a subdomain. And indeed, previous versions of the WKD draft relied on SRV records. Unfortunately, resolving SRV records was problematic for some implementers using some limited languages with limited DNS capabilities, so they were scrapped in favor of the subdomain approach.)
the direct method would not be sufficent or would have security issues I would think that than one replaces the direct method with advanced one and then we only need only one method, in order that this works.
If you have only one domain to manage and don’t need the indirection provided by the advanced method, the direct method is still perfectly fine, why replace it?
And if we must have two methods, why is the order not, like one would think: check direct first and if this does not work check advanced?
I don’t know, it feels more logical to me to look for an indirection *first*, and only if there’s no indirection you then look at the target domain itself.
- Damien
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
