Re: [openpgp] OpenPGP Web Key Directory I-D

Werner Koch <> Sat, 10 November 2018 10:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 53823127332 for <>; Sat, 10 Nov 2018 02:30:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Qjgof1o_MX_s for <>; Sat, 10 Nov 2018 02:30:11 -0800 (PST)
Received: from ( [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D47A4124408 for <>; Sat, 10 Nov 2018 02:30:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=20181017; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=m3FJhXX3fVAIVrdbIEDY9djoL1+7lg2VFGPIXJZLznc=; b=YdoPw4DlU744bwduD9DYpq/0e1 FXELXj8GveNAUGOoX8BfL99jylhsh3jclcRyDSnFb6evXhG4xRPMUA71Qemp0NgKYjcG9upOX3GKG r0+mWT+H9d7JR3jWEi0aGswIp6C+rIfQx1ODogbktd6YHkPhHYlSrwp5nEPaPUGI5c1A=;
Received: from uucp by with local-rmail (Exim 4.89 #1 (Debian)) id 1gLQWn-0000Wi-A6 for <>; Sat, 10 Nov 2018 11:30:09 +0100
Received: from wk by with local (Exim 4.84 #3 (Debian)) id 1gLQSA-0001ux-7K; Sat, 10 Nov 2018 11:25:22 +0100
From: Werner Koch <>
To: Bart Butler <>
Cc: Paul Fawkesley <>, "openpgp\" <>
References: <> <> <> <> <>
Organisation: GnuPG e.V.
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
Mail-Followup-To: Bart Butler <>, Paul Fawkesley <>, "openpgp\" <>
Date: Sat, 10 Nov 2018 11:25:21 +0100
In-Reply-To: <> (Bart Butler's message of "Fri, 09 Nov 2018 23:18:57 +0000")
Message-ID: <>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=offensive_information_warfare_gamma_bemd_csim_MP5K-SD_Capricorn=inve"; micalg=pgp-sha256; protocol="application/pgp-signature"
Archived-At: <>
Subject: Re: [openpgp] OpenPGP Web Key Directory I-D
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 10 Nov 2018 10:30:12 -0000

On Sat, 10 Nov 2018 00:18,

> reasons previously mentioned in this thread and discussed in Brussels
> (case sensitivity, +aliases/subaddresses, Unicode, catch-all
> addresses). The hash would be ignored.

BTW, the sub-addressing does not seem to be a real problem.  A cursory
inspection of some large keyrings showed that user-ids with
sub-addresses are quite rare and there is always the opportunity for the
user (or a tool) to create another user-id w/o the sub-address.  Thus
the sub-addresses can be handled in the MUA and won't need protocol

> I think that long-term, two parameters that do the same thing and could conflict is bad and that while compatibility is a good short-term goal, we should try drop the hash and to migrate to this final form as soon as possible:
> ..well-known/openpgpkey/hu/?

I disagree but I don't think it is the time to discuss this now.  Let us
first deploy a useful key discovery and then see how it can be

> should simplify this and simply mandate the 'wkd' subdomain, full
> stop, rather than having a fallback mechanism to the main domain. The

I concur.  Given that we need to drop the SRV records for silly reasons
anyway, we can also demand a fixed subdomain.  Given that I don't like
the "wkd" acronym, I would prefer to use a different name, like

And regarding your other mail: Sure, a redirection can only be allowed
to use a http redirect and not with a CNAME.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.