On Tue, Jan 19, 2021 at 11:15 AM Werner Koch <w...@gnupg.org> wrote: > > Stefan, > > It has been mentioned several time here that the use of the openpgpkey > sub-domain is required to allow implementation of the Web Key Directory > in browsers. This is a real world use case and pretty important for web > mailers like protonmail. > > I would suggest that you put your energy on a useful task instead of > confusing people here with crude arguments why we should support invalid > X.509 certificates for TLS connections. > > Thus go for Google and Mozilla and convince them that SRV records are > important for many applications. That is not just for the Web Key > Directory but also for XMPP clients in a browser and many other modern > protocols. After that as been achieved we can eventually migrate back > to SRV records.
Hello Werner, What you or maybe other people here do not get, I accept that there is for the advanced-method a requirement to use an openpgpkey subdomain part, which a) is triggered first and b) as understood by Damien's reply was asked for by some JavaScript programmers. This is perfectly fine! *But* when there exists also a direct-method in you current draft, which people like to use, when low on budged or which like to avoid, for whatever privacy reasons they have, the openpgpkey subdomain part, they should be IMHO allowed to use the direct-method only or at least GnuPG and gpg4win should fallback to this method, if a cert error, according to GnuPG's or gpg4win's WKD implementation occurs. I guess this would be a <5 minute quick fix in your codebase. Please try also to not use the term invald cert, if a cert is valid and only is 'invalid' in the current way of how GnuPG and gpg4win handles your WKD implementation. People know now that other OpenPGP apps can handle my github.io key, from my GitHUb page. Best regards Stefan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users