> Now I'm a bit confused :O
> I thought WKD can be used with your own webserver. So why do I have to
> make a CNAME recort pointing to "wkd.keys.openpgp.org"?
>
> Or did I understand anything wrong?
Sorry, that was confusing without context. Yes, WKD is bound to the domain of
the email
On Sat, Jan 16, 2021 at 12:55 PM Stefan Claas
wrote:
>
> On Sat, Jan 16, 2021 at 12:52 PM Stefan Claas
> wrote:
> >
> > On Sat, Jan 16, 2021 at 10:32 AM Juergen Bruckner via Gnupg-users
> > wrote:
> > >
> > > Hello Group!
> >
> > > BTW ... do any of you know a tutorial to set up WKD for
On Sat, Jan 16, 2021 at 12:52 PM Stefan Claas
wrote:
>
> On Sat, Jan 16, 2021 at 10:32 AM Juergen Bruckner via Gnupg-users
> wrote:
> >
> > Hello Group!
>
> > BTW ... do any of you know a tutorial to set up WKD for 'Dummies'?
>
> Hi Juergen,
>
> me as a Windows DAU (Dümmster Anzunehmnder User)
On Sat, Jan 16, 2021 at 10:32 AM Juergen Bruckner via Gnupg-users
wrote:
>
> Hello Group!
> BTW ... do any of you know a tutorial to set up WKD for 'Dummies'?
Hi Juergen,
me as a Windows DAU (Dümmster Anzunehmnder User) used the direct-method:
Create in your web server's root directory the
Hello Group!
Am 16.01.21 um 03:26 schrieb Vincent Breitmoser via Gnupg-users:
Daniel Kahn Gillmor via Gnupg-users wrote:
On Mon 2021-01-11 22:59:10 +0100, Ángel wrote:
The "make a CNAME of your openpgpkeys subdomain to
wkd.keys.openpgp.org" couldn't work with https certificate validation,
Daniel Kahn Gillmor via Gnupg-users wrote:
> On Mon 2021-01-11 22:59:10 +0100, Ángel wrote:
> > The "make a CNAME of your openpgpkeys subdomain to
> > wkd.keys.openpgp.org" couldn't work with https certificate validation,
> > thouth (or are they requesting a certificate on-the-fly?)
>
> In fact,
On Mon 2021-01-11 22:59:10 +0100, Ángel wrote:
> The "make a CNAME of your openpgpkeys subdomain to
> wkd.keys.openpgp.org" couldn't work with https certificate validation,
> thouth (or are they requesting a certificate on-the-fly?)
In fact, i believe that keys.openpgp.org *is* requesting and
On Wed, Jan 13, 2021 at 8:42 AM Daniele Nicolodi wrote:
>
> On 12/01/2021 23:30, Stefan Claas wrote:
> > The reason why I like also the option for, let's say github.io pages
> > is that, like I have shown in the whole thread that a very well known
> > site like GitHub, with it's millions of
On 12/01/2021 23:30, Stefan Claas wrote:
> The reason why I like also the option for, let's say github.io pages
> is that, like I have shown in the whole thread that a very well known
> site like GitHub, with it's millions of software developes allows one
> to host, via WKD, a mutli-purpose usage
On 12/01/2021 22:17, Stefan Claas wrote:
> On Tue, Jan 12, 2021 at 10:09 PM Daniele Nicolodi wrote:
>>
>> On 12/01/2021 20:40, Stefan Claas via Gnupg-users wrote:
>>> On Tue, Jan 12, 2021 at 8:17 PM André Colomb wrote:
Hi Stefan,
>>>
So there are two "bugs" involved here. 1.
On Wed, Jan 13, 2021 at 12:00 AM André Colomb wrote:
>
> On 12/01/2021 23.47, Stefan Claas wrote:
> > Mmmh ... github.io or GitHub does *not* have issues with wildcard
> > domains ...
>
> Here we are back at you denying facts, or maybe just generalizing too
> much. As several others have put it
On 12/01/2021 23.47, Stefan Claas wrote:
> Mmmh ... github.io or GitHub does *not* have issues with wildcard
> domains ...
Here we are back at you denying facts, or maybe just generalizing too
much. As several others have put it already:
When "browsing" to openpgpkey.sac001.github.io with
On 12/01/2021 23.33, Stefan Claas via Gnupg-users wrote:
> On Tue, Jan 12, 2021 at 11:32 PM Remco Rijnders wrote:
>> I don't see the valid SSL certificate you keep on insisting is there.
I totally agree with that. It's valid for the sac001 subdomain, but
INVALID for anything below that, which
On Tue, Jan 12, 2021 at 11:46 PM André Colomb wrote:
>
> Hi Stefan,
>
> On 12/01/2021 23.16, Stefan Claas wrote:
> > Andre, please appoligze that I snipped your reply and that I only
> > give a short reply, your explanations of server/client IO was
> > welcome.
>
> I'm happy if it helps keeping
Hi Stefan,
On 12/01/2021 23.16, Stefan Claas wrote:
> Andre, please appoligze that I snipped your reply and that I only
> give a short reply, your explanations of server/client IO was
> welcome.
I'm happy if it helps keeping this discussion constructive and not
turning into a flame war :-)
> I
On Tue, Jan 12, 2021 at 11:32 PM Remco Rijnders wrote:
>
> On Tue, Jan 12, 2021 at 10:17:13PM +0100, Stefan wrote in
> :
> >> How can GPG solve bugs that are not in the GPG code or infrastructure? I
> >> think André did a great job explaining what the issues are. How do you
> >> think they can be
On Tue, Jan 12, 2021 at 11:02 PM Daniele Nicolodi wrote:
> The point of WKD is using the trust of the CA machinery (and the
> assumption that the email infrastructure and web servers serving a
> specific domain are run by the same organization) to securely retrieve
> OpenPGP keys associated to
On Tue, Jan 12, 2021 at 10:17:13PM +0100, Stefan wrote in
:
How can GPG solve bugs that are not in the GPG code or infrastructure? I
think André did a great job explaining what the issues are. How do you
think they can be addressed by GPG?
If you followed the whole thread you may agree that
On Tue, Jan 12, 2021 at 10:58 PM André Colomb wrote:
[...]
Andre, please appoligze that I snipped your reply and that I only
give a short reply, your explanations of server/client IO was
welcome.
In my OP I only asked for help from the community to set-up
WKD for GnuPG or gpg4win usage and I
On 12/01/2021 20:40, Stefan Claas via Gnupg-users wrote:
> On Tue, Jan 12, 2021 at 8:17 PM André Colomb wrote:
>> One more question: You're talking about OpenPGP key discovery setups for
>> families and small groups, IIUC. And that should involve WKD and
>> GitHub. But how should these people
On 12/01/2021 20.40, Stefan Claas wrote:
>> So there are two "bugs" involved here. 1. GitHub presenting an invalid
>> certificate for the sub-subdomain and 2. Sequoia not noticing that.
>> Neither of these are bugs in GnuPG. If you can accept these facts, then
>> it makes sense to further
On Tue, Jan 12, 2021 at 10:09 PM Daniele Nicolodi wrote:
>
> On 12/01/2021 20:40, Stefan Claas via Gnupg-users wrote:
> > On Tue, Jan 12, 2021 at 8:17 PM André Colomb wrote:
> >>
> >> Hi Stefan,
> >
> >> So there are two "bugs" involved here. 1. GitHub presenting an invalid
> >> certificate for
On 12/01/2021 20:40, Stefan Claas via Gnupg-users wrote:
> On Tue, Jan 12, 2021 at 8:17 PM André Colomb wrote:
>>
>> Hi Stefan,
>
>> So there are two "bugs" involved here. 1. GitHub presenting an invalid
>> certificate for the sub-subdomain and 2. Sequoia not noticing that.
>> Neither of these
On Tue, Jan 12, 2021 at 9:43 PM Andrew Gallagher wrote:
>
>
> > On 12 Jan 2021, at 19:44, Stefan Claas via Gnupg-users
> > wrote:
> >
> > Hi Andre, currently I can only accept the fact that these two "bugs" are
> > currently not resolved in GnuPG and gpg4win, if you allow me to
> > formulate it
> On 12 Jan 2021, at 19:44, Stefan Claas via Gnupg-users
> wrote:
>
> Hi Andre, currently I can only accept the fact that these two "bugs" are
> currently not resolved in GnuPG and gpg4win, if you allow me to
> formulate it this way.
You should not formulate it this way. If the bugs are not
On Tue, Jan 12, 2021 at 8:17 PM André Colomb wrote:
>
> Hi Stefan,
> So there are two "bugs" involved here. 1. GitHub presenting an invalid
> certificate for the sub-subdomain and 2. Sequoia not noticing that.
> Neither of these are bugs in GnuPG. If you can accept these facts, then
> it makes
Hi Stefan,
maybe I'm not the only one here who doesn't fully follow what your
"proposal" actually is. For me, it sounds like you are misunderstanding
some things and therefore think you are making a superior proposal where
it is actually based on wrong assumptions.
On 12/01/2021 18.05, Stefan
On Tue, Jan 12, 2021 at 5:36 PM Ingo Klöcker wrote:
>
> On Dienstag, 12. Januar 2021 12:47:59 CET Stefan Claas via Gnupg-users wrote:
> > On Tue, Jan 12, 2021 at 12:43 PM Andrew Gallagher
> wrote:
> > > Yes, WKD is great. But as André has explained, there is an overhead cost
> > > (to everyone)
On Dienstag, 12. Januar 2021 12:47:59 CET Stefan Claas via Gnupg-users wrote:
> On Tue, Jan 12, 2021 at 12:43 PM Andrew Gallagher
wrote:
> > Yes, WKD is great. But as André has explained, there is an overhead cost
> > (to everyone) for trying the direct method first, so inverting this to
> >
On Tue, Jan 12, 2021 at 1:04 PM Stefan Claas
wrote:
>
> On Tue, Jan 12, 2021 at 12:47 PM Stefan Claas
> wrote:
> And for the fun factor I could put also an .ots file from my pub key into
> the hu directory,thus making Mallory a bit angry ... :-D
Unfortunaly I am no skilled Golang programmer,
On Tue, Jan 12, 2021 at 2:22 PM Stefan Claas
wrote:
>
> On Tue, Jan 12, 2021 at 1:04 PM Stefan Claas
> wrote:
> >
> > On Tue, Jan 12, 2021 at 12:47 PM Stefan Claas
> > wrote:
>
> > And for the fun factor I could put also an .ots file from my pub key into
> > the hu directory,thus making Mallory
On Tue, Jan 12, 2021 at 12:47 PM Stefan Claas
wrote:
> Well, I am not sure about the details for a server or a user when it comes
> to overhead and if you mean with one particular vendow GitHub, well
> that may be the beginning, for such request. But like I mentioned if people
> would wish to
On Tue, Jan 12, 2021 at 12:43 PM Andrew Gallagher wrote:
>
> On 12/01/2021 11:27, Stefan Claas wrote:
> > The point for me is WKD exists and can be used as an cheap inhouse
> > solution, for families or organizations, if it would allow cost effective
> > wildcard subdomain support for SSL certs,
On 12/01/2021 11:27, Stefan Claas wrote:
The point for me is WKD exists and can be used as an cheap inhouse
solution, for families or organizations, if it would allow cost effective
wildcard subdomain support for SSL certs, which IMHO can not hurt
and if the direct method would be triggered
On Tue, Jan 12, 2021 at 11:49 AM Andrew Gallagher wrote:
>
> On 12/01/2021 08:25, Stefan Claas via Gnupg-users wrote:
>
> > if this would work, like I mentioned in my bund.de example, organizations
> > would have the freedom to choose WKD instead of hockeypuck or Hagrid,
> > and they would have a
On 12/01/2021 08:25, Stefan Claas via Gnupg-users wrote:
if this would work, like I mentioned in my bund.de example, organizations
would have the freedom to choose WKD instead of hockeypuck or Hagrid,
and they would have a compatible*inhouse* solution, via simple
Web management, instead of
On Tue, Jan 12, 2021 at 09:25:15AM +0100, Stefan Claas via Gnupg-users
wrote:
It would be nice to know why the advanced method was added.
To give more flexibility for people setting up a WKD for more than one
domain.
Let’s say that I manage example.org and example.net, and I want to serve
On 12/01/2021 09.25, Stefan Claas via Gnupg-users wrote:
> It would be nice to know why the advanced method was added. In case
> the direct method would not be sufficent or would have security issues
> I would think that than one replaces the direct method with advanced
> one and then we only need
On Mon, Jan 11, 2021 at 11:03 PM Ángel wrote:
>
> On 2021-01-11 at 16:36 +0100, Stefan Claas wrote:
> > On Sun, Jan 10, 2021 at 11:22 PM Ángel wrote:
> > > On 2021-01-10 at 18:47 +0100, Stefan Claas wrote:
> > > > Can you tell me/us in laymen terms how this works with gnupg.org?
> > >
> > > Sure.
On 2021-01-11 at 16:36 +0100, Stefan Claas wrote:
> On Sun, Jan 10, 2021 at 11:22 PM Ángel wrote:
> > On 2021-01-10 at 18:47 +0100, Stefan Claas wrote:
> > > Can you tell me/us in laymen terms how this works with gnupg.org?
> >
> > Sure. Let's suppose you wanted to fetch Werner's key. You want
On Mon, Jan 11, 2021 at 6:16 PM Andrew Gallagher wrote:
>
> On 11/01/2021 16:32, Stefan Claas via Gnupg-users wrote:
> > I will do this in the next couple of days, in case Werner does not
> > chime in (assuming
> > he is not 'AWOL').
>
> Stefan, please dial down the casual sniping at Werner. It's
On 11/01/2021 16:32, Stefan Claas via Gnupg-users wrote:
I will do this in the next couple of days, in case Werner does not
chime in (assuming
he is not 'AWOL').
Stefan, please dial down the casual sniping at Werner. It's not
constructive.
--
Andrew Gallagher
OpenPGP_signature
On Mon, Jan 11, 2021 at 4:55 PM ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users
wrote:
>
> 12021/00/10 04:42.21 ನಲ್ಲಿ, Stefan Claas via Gnupg-users
> ಬರೆದರು:
> > Not sure if Let's Encrypt issues such certs. If, I could set-up two
> > droplets at
> > Digital Ocean, a bob.300baud.de one and an alice.300baud.de
12021/00/10 04:42.21 ನಲ್ಲಿ, Stefan Claas via Gnupg-users
ಬರೆದರು:
> Not sure if Let's Encrypt issues such certs. If, I could set-up two droplets
> at
> Digital Ocean, a bob.300baud.de one and an alice.300baud.de one and see
> what happens.
Let's Encrypt does offer such certificates. You can
On Sun, Jan 10, 2021 at 11:22 PM Ángel wrote:
>
> On 2021-01-10 at 18:47 +0100, Stefan Claas via Gnupg-users wrote:
> > Can you tell me/us in laymen terms how this works with gnupg.org?
> >
> > openpgpkey.gnupg.org has address 217.69.77.222
> > openpgpkey.gnupg.org has IPv6 address
On 2021-01-10 at 18:47 +0100, Stefan Claas via Gnupg-users wrote:
> Can you tell me/us in laymen terms how this works with gnupg.org?
>
> openpgpkey.gnupg.org has address 217.69.77.222
> openpgpkey.gnupg.org has IPv6 address 2001:aa8:fff1:100::22
>
> Regards
> Stefan
Sure. Let's suppose you
On Sun, Jan 10, 2021 at 6:01 PM Ángel wrote:
> sequoia is in the wrong here. You don't have a valid SSL cert for
> openpgpkey.sac001.github.io Either they are not supporting the advanced
> method (maybe they follow an older draft?) or they ignore the
> certificate failure (which would be quite
On 2021-01-09 at 23:40 +0100, Stefan Claas via Gnupg-users wrote:
> Well, I wish Werner would chime in, because what I really don't
> understand why do we have two options, instead of one and why is the
> advanced method the first one to be checked, if we have as first one
> the direct method,
On Sat, Jan 9, 2021 at 11:49 PM Stefan Claas
wrote:
> Like I said in my previous reply to Ingo, It would be nice if GitHub staff
> would
> see this thread and talk with Werner.
Well, I just wrote GitHub support and asked if their staff can check
this thread,
which I linked to in my message.
On Sat, Jan 9, 2021 at 11:42 PM Ángel wrote:
>
> On 2021-01-09 at 14:37 +0100, Stefan Claas via Gnupg-users wrote:
> > I believe GitHub is doing it right, because it is a
> > valid option according to their SSL cert data, and Werner simply
> > overlooked this option.
>
> It is not. A certificate
On Sat, Jan 9, 2021 at 11:09 PM Ingo Klöcker wrote:
>
> On Samstag, 9. Januar 2021 20:50:54 CET Stefan Claas via Gnupg-users wrote:
> > On Sat, Jan 9, 2021 at 8:08 PM Stefan Claas
> > wrote:
> > > host sac001.github.io
> > > sac001.github.io has address 185.199.111.153
> > > sac001.github.io has
On 2021-01-09 at 14:37 +0100, Stefan Claas via Gnupg-users wrote:
> I believe GitHub is doing it right, because it is a
> valid option according to their SSL cert data, and Werner simply
> overlooked this option.
It is not. A certificate for *.github.io doesn't cover
openpgpkey.sac001.github.io
On Samstag, 9. Januar 2021 20:50:54 CET Stefan Claas via Gnupg-users wrote:
> On Sat, Jan 9, 2021 at 8:08 PM Stefan Claas
> wrote:
> > host sac001.github.io
> > sac001.github.io has address 185.199.111.153
> > sac001.github.io has address 185.199.109.153
> > sac001.github.io has address
On Sat, Jan 9, 2021 at 8:08 PM Stefan Claas
wrote:
> host sac001.github.io
> sac001.github.io has address 185.199.111.153
> sac001.github.io has address 185.199.109.153
> sac001.github.io has address 185.199.110.153
> sac001.github.io has address 185.199.108.153
>
> works as well and why can
On Sat, Jan 9, 2021 at 7:27 PM Ingo Klöcker wrote:
>
> On Samstag, 9. Januar 2021 15:43:14 CET Stefan Claas via Gnupg-users wrote:
> > Example: If I would be the host master of the domain bund.de with it's
> > many subdomains and authorities would request that WKD, as an
> > inexpensive inhouse
On Samstag, 9. Januar 2021 15:43:14 CET Stefan Claas via Gnupg-users wrote:
> On Sat, Jan 9, 2021 at 2:37 PM Stefan Claas
> wrote:
> > Hi Neal,
> >
> > thanks for the reply, much appreciated! Simply said, for the average
> > user like me, I believe GitHub is doing it right, because it is a
> >
On Fri, Jan 8, 2021 at 11:34 PM Stefan Claas
wrote:
> But (sorry to say this here on the GnuPG ML) good news is
> I just tested it with an older version of sequoia-pgp and guess
> what it works for me. :-)
>
> sq wkd get ste...@sac001.github.io
> -BEGIN PGP PUBLIC KEY BLOCK-
> Comment:
On Sat, Jan 9, 2021 at 2:37 PM Stefan Claas
wrote:
> Hi Neal,
>
> thanks for the reply, much appreciated! Simply said, for the average
> user like me, I believe GitHub is doing it right, because it is a
> valid option according to their SSL cert data, and Werner simply
> overlooked this option.
On Sat, Jan 9, 2021 at 11:37 AM Neal H. Walfield wrote:
> It appears that gpg is trying the advanced lookup method, gets an
> error, and then doesn't fallback to the direct lookup method. This is
> consistent with the I-D:
>
>3.1. Key Discovery
>
>...
>
>There are two variants on
Hi Stefan,
On Fri, 08 Jan 2021 23:05:52 +0100,
Stefan Claas via Gnupg-users wrote:
> On Fri, Jan 8, 2021 at 10:21 PM Stefan Claas
> wrote:
>
> > I guess the only way to fix it (for many people) would be
> > that, as of my understanding (now) the WKD check
> > and SSL cert check would be a bit
On Fri, Jan 8, 2021 at 11:27 PM André Colomb wrote:
>
> Hi Stefan,
>
> your key seems to work fine over that WKD setup.
>
> > Now Wiktor's WKD checker gives the proper
> > results in the first part, not sure why not in the
> > second part.
>
> You don't need the "Advanced" method if the direct
Hi Stefan,
your key seems to work fine over that WKD setup.
> Now Wiktor's WKD checker gives the proper
> results in the first part, not sure why not in the
> second part.
You don't need the "Advanced" method if the direct one already works.
They basically exist to provide flexibility for
On Fri, Jan 8, 2021 at 10:21 PM Stefan Claas
wrote:
> I guess the only way to fix it (for many people) would be
> that, as of my understanding (now) the WKD check
> and SSL cert check would be a bit more flexible, either
> in allowing subdomains, like the github.io ones in form
> of a fix in the
; requirement, no?
>
> Also make sure that the MIME content type and
> Access-Control-Allow-Origin headers are set correctly.
I guess I have created a new use case, regarding WKD
usage for GitHub pages and how Werner implemented
WKD.
I guess the only way to fix it (for many people) would be
t
Hi Stefan,
> I just started to set-up a github-page and have also verified
> the page via Brave. I tried to set-up WKD for the page, like
> I did in the past for my 300baud.de Domain, but fetching
> the key with GnuPG does not work for me. :-(
You could try the online WKD checker here:
On Fri, Jan 8, 2021 at 7:36 PM Stefan Claas
wrote:
>
> Ok, had a typo in the openpgpkey folder, ouch.
>
> Now Wiktor's WKD checker gives the proper
> results in the first part, not sure why not in the
> second part.
>
> Need to try to fetch my pub key.
Does not work, 'wrong name'
I guess I
Ok, had a typo in the openpgpkey folder, ouch.
Now Wiktor's WKD checker gives the proper
results in the first part, not sure why not in the
second part.
Need to try to fetch my pub key.
Regards
Stefan
On Fri, Jan 8, 2021 at 6:42 PM Stefan Claas
wrote:
>
> Hi all,
>
> I just started to set-up
Hi all,
I just started to set-up a github-page and have also verified
the page via Brave. I tried to set-up WKD for the page, like
I did in the past for my 300baud.de Domain, but fetching
the key with GnuPG does not work for me. :-(
My key UID there is 'ste...@sac001.github.io'
It would be
68 matches
Mail list logo