Re: [openpgp] OpenPGP Web Key Directory I-D

Werner Koch <wk@gnupg.org> Tue, 13 November 2018 14:15 UTC

Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 464F9130DDA for <openpgp@ietfa.amsl.com>; Tue, 13 Nov 2018 06:15:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.001
X-Spam-Level:
X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gnupg.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mk3EZQ_zorcG for <openpgp@ietfa.amsl.com>; Tue, 13 Nov 2018 06:15:10 -0800 (PST)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A34A3129BBF for <openpgp@ietf.org>; Tue, 13 Nov 2018 06:15:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnupg.org; s=20181017; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=a34bfl2aLUy338vD83SN6WIYWl8ow8MB0elCSIEkw10=; b=VpU8NPmQbsFBVtThNBW69PoQP1 Ax+zz9c2xGMVbmZb9MZa0rXeVwWj0Wynq4hIT+iHRhFPskt2gkagVmhCu1owg24d4JhTiAVkm6uik D+UfEdQWergzJaaTyyckJ7u/IuOJsEP/Goju7BjY11Ty2RzYK89hTIMtOnb7bl/SkKyI=;
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.89 #1 (Debian)) id 1gMZTB-0005YZ-21 for <openpgp@ietf.org>; Tue, 13 Nov 2018 15:15:09 +0100
Received: from wk by wheatstone.g10code.de with local (Exim 4.84 #3 (Debian)) id 1gMZT7-0008A7-Ub; Tue, 13 Nov 2018 15:15:05 +0100
From: Werner Koch <wk@gnupg.org>
To: Bjarni Runar Einarsson <bre@pagekite.net>
Cc: Paul Fawkesley <paul@fluidkeys.com>, "openpgp@ietf.org" <openpgp@ietf.org>
References: <87ftwbye1s.fsf@wheatstone.g10code.de> <DiIWPgMENERRi7akurqzJbz8IyvtxcuHX2bdNqRr22db@mailpile>
Organisation: GnuPG e.V.
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
Mail-Followup-To: Bjarni Runar Einarsson <bre@pagekite.net>, Paul Fawkesley <paul@fluidkeys.com>, "openpgp\@ietf.org" <openpgp@ietf.org>
Date: Tue, 13 Nov 2018 15:15:05 +0100
In-Reply-To: <DiIWPgMENERRi7akurqzJbz8IyvtxcuHX2bdNqRr22db@mailpile> (Bjarni Runar Einarsson's message of "Mon, 12 Nov 2018 16:33:33 -0000")
Message-ID: <874lcloyhi.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=MD4_wire_transfer_UOP_.Hello_to_all_my_friends_and_fans_in_domestic="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/UCNwhFMFmoDh57dtNBaptjXLjMI>
Subject: Re: [openpgp] OpenPGP Web Key Directory I-D
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Nov 2018 14:15:12 -0000

On Mon, 12 Nov 2018 17:33, bre@pagekite.net said:

> If I were to implement support for SRV records, that would mean I
> can no longer rely on Tor to do that for us, but need to start
> thinking about DNS-over-HTTPS or other emerging standards (or,

Well, GnuPG implements a full DNS resolver over Tor (but w/o DNSSEC).
This was required to properly implement access to the keyserver pools.
If there is a need we coul turn this into a public API.

> I'm very happy not to have to deal with that.

Mailpile will also like it.

>> First try
>>
>>      https://openpgpkey.example.org/.well-known/openpgpkey/...
>>

> This works well for Mailpile.

I changed this in the -07 I-D to 

  https://openpgpkey.example.org/.well-known/openpgpkey/example.org/...

to make it easier to host several domains and to convey the domain info
without resorting to HTTP header info.

> I might be tempted to suggest trying the bare domain first, and
> openpgpkey.example.org as a fallback, simply because from a
> privacy point of view that leaks less information about what the
> client is doing.

But in this regard it is not different from SRV RRs.  The requests
should anyway be easy to identify because the reply is pretty small or
by utilizing the fact that an encrypted mail is anyway soon send to the
same provider.

> on something that is dead-simple to implement both on the client
> and the server, even if the "fixed subdomain" is a hack from a
> protocol-purity point of view. It's pragmatic and it works, which

Right, but Mozilla and MS Exchange do something very similar to ease the
configuraion of a mail account.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.