[openpgp] Web Key Directory I-D -07
Werner Koch <wk@gnupg.org> Tue, 13 November 2018 14:05 UTC
Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52989130DDA for <openpgp@ietfa.amsl.com>; Tue, 13 Nov 2018 06:05:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.001
X-Spam-Level:
X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gnupg.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kQbx8g3S11ED for <openpgp@ietfa.amsl.com>; Tue, 13 Nov 2018 06:05:11 -0800 (PST)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1D5F12D4EE for <openpgp@ietf.org>; Tue, 13 Nov 2018 06:05:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnupg.org; s=20181017; h=Content-Type:MIME-Version:Message-ID:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ZZP3J7/ApoGb7n+g2WLGAZvPuvEQG6/G3HtawHAruMY=; b=ezygIY8+3iCkcw1BHCJjXEwKB7 rpcW6EuqKGKvHzIIp8tZW/Y06X5Z7U+TyT0R3h5pxmxpfa8FS9Pzu91OnhXHZUEXbjpvraldgyT/z 05s/EGdR/lhLuGcYD9lQ2kfx6yRnVvakLKwcqhG8y/Ap8B8VvG04ozHqd+ZEGzvKEiRQ=;
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.89 #1 (Debian)) id 1gMZJU-0005Uc-Tg for <openpgp@ietf.org>; Tue, 13 Nov 2018 15:05:08 +0100
Received: from wk by wheatstone.g10code.de with local (Exim 4.84 #3 (Debian)) id 1gMZGc-00083d-E5 for <openpgp@ietf.org>; Tue, 13 Nov 2018 15:02:10 +0100
From: Werner Koch <wk@gnupg.org>
To: openpgp@ietf.org
Organisation: GnuPG e.V.
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
Mail-Followup-To: openpgp@ietf.org
Date: Tue, 13 Nov 2018 15:02:04 +0100
Message-ID: <878t1xoz37.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=chameleon_man_ASDIC_Yukon_Mena_STARLAN_Rumsfeld_bootleg_undercover=L"; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/wed1yxZudnajWAMCTRLiTO55P6g>
Subject: [openpgp] Web Key Directory I-D -07
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Nov 2018 14:05:18 -0000
Hi! A new revision of the Web Key Directory I-D has been published: https://www.ietf.org/id/draft-koch-openpgp-webkey-service-07.txt Changes since -06 are: - Specify the advanced method with the openpgpkey sub-domain. - Specify the l=LOCAL-PART query parameter. - Require the provider to filter the key for publication. - Drop the use of DNS SRV records. See below for the gist of the change. GnuPG master implements the new advanced method. You may use my address for testing. For now the SRV method is still used as a fallback by GnuPG. Note that the domain name is now also part of the file name if the openpgpkey sub-domain is used. This should make it easier to server the directory for several domains from a single server. This sub-domain approach is similar to Mozilla's mail auto configuration [1]. Shalom-Salam, Werner --8<---------------cut here---------------start------------->8--- There are two variants on how to form the request URI: The advanced and the direct method. Implementations MUST first try the advanced method. Only if the required sub-domain does not exist, they SHOULD fall back to the direct method. The advanced method requires a sub-domain with the fixed name "openpgpkey" is created and queried. It constructs the URI from the concatenation of these items: o The scheme "https://", o the domain-part, o the string "/.well-known/openpgpkey/", o the domain-part in lowercase, o the string "/hu/", o the above constructed 32 octet string, o the unchanged local-part as a parameter with name "l" using proper percent escaping. An example for such an advanced method URI to lookup the key for Joe.Doe@Example.ORG is: https://openpgpkey.example.org/.well-known/openpgpkey/ example.org/hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe (line has been wrapped for rendering purposes) The direct method requires no additional DNS entries and constructs the URI from the concatenation of these items: o The scheme "https://", o the domain-part, o the string "/.well-known/openpgpkey/hu/", o the above constructed 32 octet string, o the unchanged local-part as a parameter with name "l" using proper percent escaping. Example for a direct method URI: https://example.org/.well-known/openpgpkey/ hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe (line has been wrapped for rendering purposes) [...] The benefit of the advanced method is its greater flexibility in setting up the Web Key Directory in environments where more than one mail domain is hosted. DNS SRV resource records, as used in earlier specifications of this protocol, posed a problem for implementations which have only limited access to DNS resolvers. The direct method is kept for backward compatibility and to allow providing a Web Key Directory even with without DNS change requirements. --8<---------------cut here---------------end--------------->8--- [1] <https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration> -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
- [openpgp] Web Key Directory I-D -07 Werner Koch
- Re: [openpgp] Web Key Directory I-D -07 Bart Butler
- Re: [openpgp] Web Key Directory I-D -07 Werner Koch
- Re: [openpgp] Web Key Directory I-D -07 Bart Butler
- Re: [openpgp] Web Key Directory I-D -07 Werner Koch
- Re: [openpgp] Web Key Directory I-D -07 Paul Wouters
- Re: [openpgp] Web Key Directory I-D -07 Phil Pennock
- Re: [openpgp] Web Key Directory I-D -07 Benjamin Kaduk
- Re: [openpgp] Web Key Directory I-D -07 azul
- Re: [openpgp] Web Key Directory I-D -07 azul
- Re: [openpgp] Web Key Directory I-D -07 Werner Koch
- Re: [openpgp] Web Key Directory I-D -07 Benjamin Kaduk
- Re: [openpgp] Web Key Directory I-D -07 Bart Butler
- Re: [openpgp] Web Key Directory I-D -07 Bart Butler
- Re: [openpgp] Web Key Directory I-D -07 Bart Butler
- Re: [openpgp] Web Key Directory I-D -07 Paul Wouters
- Re: [openpgp] Web Key Directory I-D -07 Bart Butler