Re: WKD Checker
On Tue, Jan 19, 2021 at 9:51 AM Neal H. Walfield wrote: > > On Mon, 18 Jan 2021 17:12:56 +0100, > Stefan Claas wrote: > > I repeat here once again GitHub has a *valid* SSL cert. > > You're right. github has a valid TLS certificate. But that valid TLS > certificate is not valid for openpgpkey.sac001.github.io. That's just > the way it is, sorry. Hi Neal, you don't have to say sorry ... because it is the way GnuPG and gpg4win handles this required openpgpkey subdomain part in their WKD advanced-method implementation, while I personally like the direct-method to use only, which according to Wiktor's WKD checker is properly set-up for my github.io page and most important it is working with sequoia-pgp and Mailvelope etc. :-) Best regards Stefan Best regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please tackle the Right Thing (was: WKD Checker)
On Tue, Jan 19, 2021 at 11:15 AM Werner Koch wrote: > > Stefan, > > It has been mentioned several time here that the use of the openpgpkey > sub-domain is required to allow implementation of the Web Key Directory > in browsers. This is a real world use case and pretty important for web > mailers like protonmail. > > I would suggest that you put your energy on a useful task instead of > confusing people here with crude arguments why we should support invalid > X.509 certificates for TLS connections. > > Thus go for Google and Mozilla and convince them that SRV records are > important for many applications. That is not just for the Web Key > Directory but also for XMPP clients in a browser and many other modern > protocols. After that as been achieved we can eventually migrate back > to SRV records. Hello Werner, What you or maybe other people here do not get, I accept that there is for the advanced-method a requirement to use an openpgpkey subdomain part, which a) is triggered first and b) as understood by Damien's reply was asked for by some JavaScript programmers. This is perfectly fine! *But* when there exists also a direct-method in you current draft, which people like to use, when low on budged or which like to avoid, for whatever privacy reasons they have, the openpgpkey subdomain part, they should be IMHO allowed to use the direct-method only or at least GnuPG and gpg4win should fallback to this method, if a cert error, according to GnuPG's or gpg4win's WKD implementation occurs. I guess this would be a <5 minute quick fix in your codebase. Please try also to not use the term invald cert, if a cert is valid and only is 'invalid' in the current way of how GnuPG and gpg4win handles your WKD implementation. People know now that other OpenPGP apps can handle my github.io key, from my GitHUb page. Best regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Please tackle the Right Thing (was: WKD Checker)
Stefan, It has been mentioned several time here that the use of the openpgpkey sub-domain is required to allow implementation of the Web Key Directory in browsers. This is a real world use case and pretty important for web mailers like protonmail. I would suggest that you put your energy on a useful task instead of confusing people here with crude arguments why we should support invalid X.509 certificates for TLS connections. Thus go for Google and Mozilla and convince them that SRV records are important for many applications. That is not just for the Web Key Directory but also for XMPP clients in a browser and many other modern protocols. After that as been achieved we can eventually migrate back to SRV records. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKD Checker
On Mon, 18 Jan 2021 17:12:56 +0100, Stefan Claas wrote: > I repeat here once again GitHub has a *valid* SSL cert. You're right. github has a valid TLS certificate. But that valid TLS certificate is not valid for openpgpkey.sac001.github.io. That's just the way it is, sorry. :) Neal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
The meaning of /.well-known/ (was: WKD Checker)
On 2021-01-18 at 17:12 +0100, Stefan Claas via Gnupg-users wrote: > Neal, maybe you and your team, as professionals, can explain > what the .well-kown folder in a Web root is good for, because > it is not only used for WKD and it is also used by many many > apps, for verification purposes, like one can see in my GitHub > project folder, regarding Brave verification and one can see > that a .well-known folder serves it's purpose for the direct > method if one tries Wictor's fine WKD checker with > stefan.sac001.github.io. Well-known URIs were defined nearly 11 years ago in rfc5785 (now obsoleted by rfc 8615), see https://tools.ietf.org/html/rfc5785 Basically, the /.well-known/ path introduces a namespace with a semantic for other protocols. Thus, example.com/.well-known/openpgpkey/ has a meaning for Web Key Directory. http://example.com/.well- known/acme-challenge/ is used for Automatic Certificate Management Environment (ACME) [rfc 8555], example.com/.well-known/mta-sts.txt is used to request that all emails are sent with SMTP encryption (rfc8461) and so on. Compare this with an url like https://example.com/cat, which has no special meaning. That could talk about your pet, an essay about the felis catus, a telecom operator in Thailand, a minecraft song, an Indian entrance exam, a UNIX program, a psychological therapy, the Catalan language, a unit of US Secret Service, a time zone, or the name of your significant other. If a new protocol wanted to use with an special meaning an url you were already using for the above, perfectly fine, content you would be understandably upset (and the new protocol could easily get confused by the existing pages). Reserving a portion of the namespace for these uses allows separating this. You can have a look at the multiple things it is used for at the corresponding IANA registry: https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml Best regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKD Checker
Hi Stefan, On 18/01/2021 17.12, Stefan Claas via Gnupg-users wrote: > I repeat here once again GitHub has a *valid* SSL cert. You are right on that point. Absolutely right, seriously. It's actually their web server configuration which is suboptimal. Those two statements are universally true, while the rest of this thread was only applicable to a specific context :-) Good night. André -- Greetings... From: André Colomb signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKD Checker
On Mon, Jan 18, 2021 at 8:43 AM Neal H. Walfield wrote: > > On Sun, 17 Jan 2021 19:27:05 +0100, > Ángel wrote: > > I feel there is a need for a proper wkd test suite (as well as a > > clarifying on the draft itself the things that are coming up). > > FWIW, there is Wiktor Kwapisiewicz's wkd checker: > > https://gitlab.com/wiktor-k/wkd-checker > https://wkd.sequoia-pgp.org/ > > This is more for checking a WKD setup than checking a WKD client. > > I'm sure he'd be open to issues for things that he missed. > > :) Neal Hi Neal, thanks for chiming in here again, which you normally have not to do and instead you could enjoy popcorn while reading this thread. :-) I like to leave this reply here as my last post, while I know this Mailing List is thankfully mirrored ... and links to this whole thread are also floating around in the Internet, in related forums. I repeat here once again GitHub has a *valid* SSL cert. If GnuPG and gpg4win can not handle properly the direct-method, e.g. a fallback if *for* GnuPG or gpg4win a certificate is 'ìnvalid' and sequoia-pgp, Mailvelope etc. can use the direct-method than it should tell us something. As understood Damien jumped in yesterday to explain why some JavaScript kiddies asked for a sub.sub openpgpkey domain support (Remember the *EU funded* openpgp.js) library used in Mailvelope can handle my github.io key. Let's also assume that Werner, in his ivory tower, 'protected' by the *Old* Guard is correct and I am now officially known as retard, or whatever people like to call me, GitHub would make changes to their IT infrastructure, so that according to a *draft* GnuPG and gpg4win can handle this, what happens if I invent tomorrow WKD for S/MIME and WKD for NaClbox according to Werner's current *draft*, because many people would like it. Should GitHub do then changes *again*? Neal, maybe you and your team, as professionals, can explain what the .well-kown folder in a Web root is good for, because it is not only used for WKD and it is also used by many many apps, for verification purposes, like one can see in my GitHub project folder, regarding Brave verification and one can see that a .well-known folder serves it's purpose for the direct method if one tries Wictor's fine WKD checker with stefan.sac001.github.io. I finish now and I am very thankful that you jumped in for clarification, which you should had not to do and also thanks do dkg for suggesting clarification on dev.gnupg.org. Best regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
WKD Checker
On Sun, 17 Jan 2021 19:27:05 +0100, Ángel wrote: > I feel there is a need for a proper wkd test suite (as well as a > clarifying on the draft itself the things that are coming up). FWIW, there is Wiktor Kwapisiewicz's wkd checker: https://gitlab.com/wiktor-k/wkd-checker https://wkd.sequoia-pgp.org/ This is more for checking a WKD setup than checking a WKD client. I'm sure he'd be open to issues for things that he missed. :) Neal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
