[openpgp] Re: Certificate discovery over HKP
Vincent Breitmoser <look@my.amazin.horse> Wed, 09 April 2025 00:20 UTC
Return-Path: <look@my.amazin.horse>
X-Original-To: openpgp@mail2.ietf.org
Delivered-To: openpgp@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 809BC19496E7 for <openpgp@mail2.ietf.org>; Tue, 8 Apr 2025 17:20:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=my.amazin.horse
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Yr1pZqhvfwW for <openpgp@mail2.ietf.org>; Tue, 8 Apr 2025 17:20:10 -0700 (PDT)
Received: from my.amazin.horse (my.amazin.horse [5.181.49.53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 4072519496DA for <openpgp@ietf.org>; Tue, 8 Apr 2025 17:20:10 -0700 (PDT)
Received: from [192.168.1.227] (p54b80e11.dip0.t-ipconnect.de [84.184.14.17]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by my.amazin.horse (Postfix) with ESMTPSA id 1FCA36E831; Wed, 09 Apr 2025 02:20:09 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=my.amazin.horse; s=2020; t=1744158009; bh=Q+zB1ijjnVVt1frRSYmAYQWMLtM40Zh4mvBzGF7NrRg=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=MmWYdRjowgSVa2wKdY+xi6hR24gRnKKCMdjd+bEKIT6i9reDxaGChMok3hNkPixgu 3akz1dhdh8OxaMQYWZpylZTZA8GBBuvka5k53WV8ke7kW10cHEfP5HGIqNMtqDiJoT b95/urYenLU+idKfsjiX0O9x0ve+g3c78ENyiOKc=
Message-ID: <8990b01d-527a-4a99-bcb8-6072e50dd2bd@my.amazin.horse>
Date: Wed, 09 Apr 2025 02:20:08 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org>
References: <A748070A-4774-41F9-92E8-55F724B8834C@my.amazin.horse> <533BAF31-3076-4E0F-A4AF-904A26049132@andrewg.com>
Content-Language: en-US
From: Vincent Breitmoser <look@my.amazin.horse>
Autocrypt: addr=look@my.amazin.horse; keydata= xsFNBFAB3UABEADCyB/vbIBA3m1BwcyjTieEMLySwYgt54EQ2hglOocdtIhqC+b05t6sLSkw x2ukxrU2cegnCBkdyF/FZ/+Et638CUEBbf4bjplwpt2IPLazQgjkwjMuhz0OcYDpMhwimTvh 3mIl+0wzpOts6mEmMw0QZdl3RXvIW+NSynOn7qmz/fAv4Htt6lv2Ka0s6R2voyi+5U7CcIqi zPad5qZVn2uxmovcFreTzFt6nk37ZbbTfvA3e5F0bRRQeH3viT5XxpJF4Y76v/Ua+5N3Kd18 K0sX85rD1G7cmxR2CZ5gW1X24sDqdYZdDbf10N39UIwjJHPTeuVMQqry792Ap0Etyj135YFC E0loDnZYKvy2Y1i0RuEdTUIonIHrLhe2J0bXQGbQImHIyMgB9/lva8D+yvy2gyf2vjRhmJEE co7w9FdzP7p3PhKrUiTjRsjHw8iV8LOCFx9njZOq9mism9ZZ16tZpx9mXOf11HcH1RtVuyyQ RS/4ytQPzwshXdSDDW6Btkmo9AbZQKC54/hSyzpp3Br2T2xDH7ecnonDB/jv8rWuKXSTbX3x WAIrNBNDcTYaNe4jkms4HF7jJE19eRlqsXMMx6Fxvrh4TtKICwJYJ3AUmXrK3XTi/mjqYfJ1 fpBn54rWs8nhSR1fuZPD+aMlcP8BDUPlNKPKtj0DGSh3/VlnnwARAQABzSlWaW5jZW50IEJy ZWl0bW9zZXIgPGxvb2tAbXkuYW1hemluLmhvcnNlPsLB4wQTAQgAjQIbAwYLCQgHAwIGFQgC CQoLBBYCAwECHgECF4BTFIAAAAAAFgA0cHJvb2ZAa2V5cy5vcGVucGdwLm9yZ2h0dHBzOi8v Z2lzdC5naXRodWIuY29tL1ZhbG9kaW0vMzEzYmIwNDE2MjQyMDc1MzYzOWYWIQTUqxkpZPdq f4+KmzV70YMg3q36EQUCZTEtuQAKCRB70YMg3q36ET/sEACX/Sdd+910q/Egs4c9SZa2ejZj 5idiTqtYSFJHhIOzYk1JMOdnusWTdxT/cWArDmEi6RzKVepsDQslZPQIc+5tkBlu0KlaIxR+ tU9clJV1hM0iFt7Nk3rgFjmudvMVsFCblGoVFBf1IcEzYZf9i3IRfsJ2MT0MclJTlfIpjWIa eYuNqpJFC4maNx9iEd8OPsVxq/vgEGzlZ0Zm3d9tVkazI/dO5B8Qgzcx/TLP2ut6KBlIL4g+ NFX1jiqcdam5kf4RmGglvOdhnYxaGL57oxGXqBck6Cc0vhnpdFQbj/rm7aOk4tERuJ2tUjH9 k5Az0AQkU5cJBK/gDmB0TKJTX/iadrwVmQEaBKfVq6cYYahkCpKSNYl+r3WwLmc6PMf4bRkB 9/ugm6UNMDrKSkflUZaG5pKLZgk5D1ZGbSulps99ihk9Gx8bV3wXrFcI2FWUMzDp+iFRxsyz wADnbazUx73sKYv7FgSLxJdFGAsTTxI17x2Pd4RptpuyIH+gJRzRgnH6kmd2g9W23dAYbF2b zc6Cu0qnQIeOBxI8nyWP84J58kwkS70qaTBVELFLJ6gT+FHm61uvQbcrdN/c8FKxzI6uUxRN kNiJG10dSJWrELoGz/GZdggUsW8d59Mj2Yem0Wjs+LXrJY3r0IAx/Ck3dqhV/H+pgQEVcdbp 9VzIFehB8s7BTQRUO86BARAAslvL/O2WJOgYS7WWyW9ZBRDq14plVRDuHL1szg3zcbQAYtq1 QEe1jo+QkF7heQjDewrsugUJXZbgZK3jNan2X6Qbf8nw7DsQWM3QXsOsKDQzSUyD11DP2NhK gFHyyRofcFHMKr0AohUpX3imgv8brnbz0vvMoMehmefIWpsG151hmKvRJnH6SKi5nWqebFE9 piYfZ+S6K69gQDLMsMtgzwXmBCF1kzhhW269IgJg963TPgIOIlf+9mYOLcDPOgRVop4Az/Qf 1/02Lnjsnb7x1lKWWBOsD5+rRowlVJwA5sjFMBC0SrQOg0HM+lWuZbXRvhuaB4+sC82SJ+pK vlK3KZIGDC+h5boasmLI3heGgs5p1nPCCOqKhHWdfDm1e2uvmxh2RnTpvVZYeTG27WEVN0sL tFg3FjTvK0s0z4LaWmULALCVYHtHAj0EvUOGt7iS/y5ppfYaSxqr2YN/0xINapDRMn9ECLAw aYWvMERgjUnY7J6yGL92pbj86JkC6Q4iXE6e3q7zNTYovpCPGqqdrShNtLhm/d9F1iS5QIvo IMQl2S5ECJb4bD6UpwyNeoCkSqLGFoOSgH+TC277aAgVPMDEx/AU3Vi01zSQllacWQYhYyuv BNw7AAXOUXPvCf8TIwW2D4RFyoxfT6iVcPAzww4Mjb4HO6U+4QMS14LDT2EAEQEAAcLBXwQY AQIACQUCVDvOgQIbDAAKCRB70YMg3q36EWO5D/9RDKDj1/xPK1RhBoFvxHRR8j4qFAWzU2zP bPxrfQIPUx6IcdhZ0ByiZW9OSDiDktudgdUOuP9dqBjcU38AgT3u6wVuxMb6uxYA4uLs3Z03 Z6FZnrfiQy+uDIL25OI52TDfX4HwrkynLJKAPx7pIDNF+K7Tr9txA5TImJ/Dwe52mP1vLi7I aFIf6Qe7hp+uk525SKCFuwYW1y5HDBD/D+hKTrxe89SCI5BYxmH+lWhd0XIW+u3+GACsKLx1 /LlQ8rnyeXuM+e78i5BesnnSc0AUgjE9V6jb8HzcoCcRk9T6pZmx1trRX4UghBBWLMu1AUy4 kmTj9RMA58na0GlD08ANfr+xyoMTu6dc1Z3FwdOMrsqZaNcLwLKEY7HxX+tvshqXiZmjhxMQ PpI2U7t1XVdjCdJy0vYcJg0zdFR7h4nsla67v81t/rKKnZ6rsFApn2EAf+x785Jk1iwSRnin FRzxblTe4BkiZTALovvhIzSMFki4OZCE5hfqxlnq6sif8xiWPj+GpIEVLi9MruddEua2vv7l PlTmytWx5SJhz6X2m739cPzMYi74zbER3jU3A/jgYNBNCbRsWWNG/l9JuXCaLnpgc8VBQiHZ Fk1feQ4mB7JDd6fDm5j7uhwpFU/fyGmd9+WIuUlw7pO0dacSVLekAJtNAzREcmjHfOpTeror dw==
In-Reply-To: <533BAF31-3076-4E0F-A4AF-904A26049132@andrewg.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Message-ID-Hash: SJRTXRRJDJZ7HNBOE6EJQURAND3OLCYK
X-Message-ID-Hash: SJRTXRRJDJZ7HNBOE6EJQURAND3OLCYK
X-MailFrom: look@my.amazin.horse
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: openpgp@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Re: Certificate discovery over HKP
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/LMvrV_pnNar2eDI0zs8ldp7MYl8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
Hi Andrew and list, On 08.04.25 23:00, Andrew Gallagher wrote: > The first few messages in the old thread I linked lay out the general idea. WKD has some unusual properties that make it more difficult than necessary to implement, particularly the hashing scheme, which prevents things like case or special character normalisation. For example, gmail maps john.doe(at)gmail.com and johndoe(at)gmail.com to the same account. Hashing prevents these from being easily identified by the server, hence WKD lookups are now required to send both the hashed and unhashed forms of the same address. Also, the form of the policy file causes issues with some web hosters, and the requirement for the policy file and the actual certificates to be served from the same hostname means that a shared service provider (such as KOO) has to implement a certificate infrastructure. On the other hand, a simpler indirection format allows an existing keyserver to serve certs for discovery using a single lookup protocol. And finally, we cannot safely serve v6 keys over existing WKD for fear of compatibility issues with unpatched legacy code. Thanks for explaining. I don't want to be too dismissive of these efforts, but personally I'm not convinced of the value proposition. WKD took us a decade to get to a relatively stable state, and there are now finally some tens of thousands of domains that use it. The features listed here do not warrant a competing standard imo, unless WKD is completely stuck as a spec - which I don't think (hope) it is. That said, y'all summit goers have certainly thought this through more than I have. Perhaps I'm missing some pieces of the picture. Cheers - V
- [openpgp] Certificate discovery over HKP Andrew Gallagher
- [openpgp] Re: Certificate discovery over HKP Daniel Huigens
- [openpgp] Re: Certificate discovery over HKP Andrew Gallagher
- [openpgp] Re: Certificate discovery over HKP Vincent Breitmoser
- [openpgp] Re: Certificate discovery over HKP Daniel Huigens
- [openpgp] Re: Certificate discovery over HKP Andrew Gallagher
- [openpgp] Re: Certificate discovery over HKP Vincent Breitmoser
- [openpgp] Re: Certificate discovery over HKP Bart Butler
- [openpgp] Re: Certificate discovery over HKP Andrew Gallagher
- [openpgp] Re: Certificate discovery over HKP Andrew Gallagher