Re: [openpgp] Web Key Directory and CORS
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 03 April 2019 11:47 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1226612009E for <openpgp@ietfa.amsl.com>; Wed, 3 Apr 2019 04:47:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=Z9DthMBO; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=UkU6BIlc
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VGoi2_SdL7Fv for <openpgp@ietfa.amsl.com>; Wed, 3 Apr 2019 04:47:14 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39857120089 for <openpgp@ietf.org>; Wed, 3 Apr 2019 04:47:14 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1554292032; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=FmZJ2mEXSym0dgHgsMYwH6H4Z3P74vHLEaBjYY5nbVw=; b=Z9DthMBOu4Y+gRWTdQi8hfrJHAefzWW4whOeqHF7U5sVt2FXkWMamj21 uAC616TSCxEhqs4wC2h5KVeo2pB1Aw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1554292032; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=FmZJ2mEXSym0dgHgsMYwH6H4Z3P74vHLEaBjYY5nbVw=; b=UkU6BIlcSLqBjwbO7latZat+Q3kG6327EVoCJhvdc39aw1vKAP3Wdk+a bx62/FcJllkbtrQ4JyqCE9AdBuRj0r9OdrM+7ZmFXhQ7wDSlQIdpEy2vK7 D2CWipwbLE0J44fr/06KkJn5/z7J+gmh8d1N2fuhz84TZyOt/uWaMai90E W5ODmrnOONnyba7SMuXHU6pJ3++96cwlhCEU/DvurXiZhI2ALWFY/U+NUA 4D1WyFkL9LUgbI00b42TqNIjEv8jHB3D1UCjTh0Qsuo6JMLY+71SsusL6i jVoXlExHsEIJaZ/dfays5fBBOJbYpw1P/fZaQGZjvkeSpjPTkr3C/A==
Received: from fifthhorseman.net (unknown [IPv6:2001:470:1f07:60d:d0f0:7dff:fecb:e7a6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id BDAFAF99D; Wed, 3 Apr 2019 07:47:11 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id C42FA203C8; Wed, 3 Apr 2019 07:47:08 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Wiktor Kwapisiewicz <wiktor@metacode.biz>, Werner Koch <wk@gnupg.org>
Cc: openpgp@ietf.org
In-Reply-To: <ec0da01e-79af-d315-d277-1a1b7bca61fd@metacode.biz>
References: <02531d3b-c743-6c34-f93b-0bd7a087aa5c@metacode.biz> <87y34uaat4.fsf@fifthhorseman.net> <ec0da01e-79af-d315-d277-1a1b7bca61fd@metacode.biz>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw==
Date: Wed, 03 Apr 2019 07:47:08 -0400
Message-ID: <87y34r48g3.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/HxOSkh_p1p0EuEAIQ6lQLocM0yM>
Subject: Re: [openpgp] Web Key Directory and CORS
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2019 11:47:17 -0000
On Wed 2019-04-03 12:14:36 +0200, Wiktor Kwapisiewicz wrote:
> If by "how to properly constrain" you mean configuration on the server
> side then it looks something like that for nginx:
>
> location /.well-known/openpgpkey {
> add_header Access-Control-Allow-Origin '*' always;
> }
>
> or for Apache:
>
> <Location "/.well-known/openpgpkey">
> Header set Access-Control-Allow-Origin "*"
> </Location>
>
> I agree that it's a good idea to expose it as narrowly as possible,
> though it doesn't give JavaScript code in the browser more power than
> "curl". (I can discuss details in case anyone is interested).
thanks, this is super useful. Could you propose text to be added to
https://tools.ietf.org/html/draft-koch-openpgp-webkey-service as
deployment guidance?
> Just in case a proof-of-concept is needed I wrote a simple decentralized
> encrypt-then-email page that utilizes OpenPGP.js, CORS WKD and mailto
> links: https://metacode.biz/sandbox/encrypt
neat, thanks for this! It's a shame that it can't produce PGP/MIME
messages, but rather does inline PGP, but i can see that's a limitation
of mailto: itself.
I'm assuming this is yours as well:
https://metacode.biz/openpgp/web-key-directory
that's very useful testing harness. It doesn't seem to match draft -07
though, because it's missing the l= query parameter
(https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-07#section-3.1),
and i can't tell whether it tries the "openpgpkey.*" subdomain first.
Many thanks for putting concrete testing infrastructure in place for
this, and walking through what such a tool needs to be useful in the
browser-based message composition context!
--dkg
- [openpgp] Web Key Directory and CORS Wiktor Kwapisiewicz
- Re: [openpgp] Web Key Directory and CORS Bart Butler
- Re: [openpgp] Web Key Directory and CORS Daniel Kahn Gillmor
- Re: [openpgp] Web Key Directory and CORS Wiktor Kwapisiewicz
- Re: [openpgp] Web Key Directory and CORS Daniel Kahn Gillmor
- Re: [openpgp] Web Key Directory and CORS Wiktor Kwapisiewicz