[openpgp] Web Key Directory I-D -07

Werner Koch <wk@gnupg.org> Tue, 13 November 2018 14:05 UTC

Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52989130DDA for <openpgp@ietfa.amsl.com>; Tue, 13 Nov 2018 06:05:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.001
X-Spam-Level:
X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gnupg.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kQbx8g3S11ED for <openpgp@ietfa.amsl.com>; Tue, 13 Nov 2018 06:05:11 -0800 (PST)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1D5F12D4EE for <openpgp@ietf.org>; Tue, 13 Nov 2018 06:05:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnupg.org; s=20181017; h=Content-Type:MIME-Version:Message-ID:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ZZP3J7/ApoGb7n+g2WLGAZvPuvEQG6/G3HtawHAruMY=; b=ezygIY8+3iCkcw1BHCJjXEwKB7 rpcW6EuqKGKvHzIIp8tZW/Y06X5Z7U+TyT0R3h5pxmxpfa8FS9Pzu91OnhXHZUEXbjpvraldgyT/z 05s/EGdR/lhLuGcYD9lQ2kfx6yRnVvakLKwcqhG8y/Ap8B8VvG04ozHqd+ZEGzvKEiRQ=;
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.89 #1 (Debian)) id 1gMZJU-0005Uc-Tg for <openpgp@ietf.org>; Tue, 13 Nov 2018 15:05:08 +0100
Received: from wk by wheatstone.g10code.de with local (Exim 4.84 #3 (Debian)) id 1gMZGc-00083d-E5 for <openpgp@ietf.org>; Tue, 13 Nov 2018 15:02:10 +0100
From: Werner Koch <wk@gnupg.org>
To: openpgp@ietf.org
Organisation: GnuPG e.V.
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
Mail-Followup-To: openpgp@ietf.org
Date: Tue, 13 Nov 2018 15:02:04 +0100
Message-ID: <878t1xoz37.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=chameleon_man_ASDIC_Yukon_Mena_STARLAN_Rumsfeld_bootleg_undercover=L"; micalg=pgp-sha256; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/wed1yxZudnajWAMCTRLiTO55P6g>
Subject: [openpgp] Web Key Directory I-D -07
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Nov 2018 14:05:18 -0000

Hi!

A new revision of the Web Key Directory I-D has been published:

  https://www.ietf.org/id/draft-koch-openpgp-webkey-service-07.txt

Changes since -06 are:

- Specify the advanced method with the openpgpkey sub-domain.
- Specify the l=LOCAL-PART query parameter.
- Require the provider to filter the key for publication.
- Drop the use of DNS SRV records.

See below for the gist of the change.  GnuPG master implements the new
advanced method.  You may use my address for testing.  For now the SRV
method is still used as a fallback by GnuPG.

Note that the domain name is now also part of the file name if the
openpgpkey sub-domain is used.  This should make it easier to server the
directory for several domains from a single server.  This sub-domain
approach is similar to Mozilla's mail auto configuration [1].


Shalom-Salam,

   Werner


--8<---------------cut here---------------start------------->8---
   There are two variants on how to form the request URI: The advanced
   and the direct method.  Implementations MUST first try the advanced
   method.  Only if the required sub-domain does not exist, they SHOULD
   fall back to the direct method.

   The advanced method requires a sub-domain with the fixed name
   "openpgpkey" is created and queried.  It constructs the URI from the
   concatenation of these items:

   o  The scheme "https://",

   o  the domain-part,

   o  the string "/.well-known/openpgpkey/",

   o  the domain-part in lowercase,

   o  the string "/hu/",

   o  the above constructed 32 octet string,

   o  the unchanged local-part as a parameter with name "l" using proper
      percent escaping.

   An example for such an advanced method URI to lookup the key for
   Joe.Doe@Example.ORG is:

     https://openpgpkey.example.org/.well-known/openpgpkey/
     example.org/hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe

   (line has been wrapped for rendering purposes)

   The direct method requires no additional DNS entries and constructs
   the URI from the concatenation of these items:

   o  The scheme "https://",

   o  the domain-part,

   o  the string "/.well-known/openpgpkey/hu/",

   o  the above constructed 32 octet string,

   o  the unchanged local-part as a parameter with name "l" using proper
      percent escaping.

   Example for a direct method URI:

     https://example.org/.well-known/openpgpkey/
     hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe

   (line has been wrapped for rendering purposes)

[...]
   The benefit of the advanced method is its greater flexibility in
   setting up the Web Key Directory in environments where more than one
   mail domain is hosted.  DNS SRV resource records, as used in earlier
   specifications of this protocol, posed a problem for implementations
   which have only limited access to DNS resolvers.  The direct method
   is kept for backward compatibility and to allow providing a Web Key
   Directory even with without DNS change requirements.
--8<---------------cut here---------------end--------------->8---



[1] <https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration>

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.