--with-wkd-hash does not have an effect on --with-colons
Closed, ResolvedPublic

Description

Any attempt to use GnuPG to automatically extract the wkd hash form of a given User ID seems fraught:

  • if you use --list-keys --with-colons with --with-wkd-hash, there is no change
  • if you don't use --with-colons then you're in some sort of non-machine-readable not-an-API space, which is likely to break on upgrade.

This suggests that people have no way to use gpg itself to generate the expected output in an automated way.

dkg created this task.Mar 21 2019, 8:02 PM
werner added a subscriber: werner.Mar 22 2019, 8:37 AM

I think that a small tool or feature for gpg-wks-client would be better than extending the --with-colons format. A --dry-run option for example could list the filenames which would be created.

So what about this:

$ gpg-wks-client  --print-wkd-hash dkg@foo wk@gnupg.org 'Joe <joe@example.org>'
sr4so3py756t9p5ktpud9menxx1m3g5b dkg@foo
nq6t9teux7edsnwdksswydu4o9i5es3f wk@gnupg.org
n4w4kuq9ejc3kmthngg8ccja7y5j8i97 joe@example.org

Without args it expects a user-id per line.

dkg added a comment.Mar 23 2019, 3:48 AM

That seems plausible to me. I'm not sure why you'd include the @domain part in the output, since it's all strictly about the localpart. what happens if you provide some upper-case inputs?

That keeps the interface the same just in case we ever change the format. It has also the advantage that you can use the tool to extract the mail address from the user id and thus see whether it is valid.

Do you think another column w/o the domain would be helpful. Stripping the domain is not hard to do in a shell script. If you have only the user id. Append @local or any other domain.

dkg added a comment.Mar 23 2019, 10:40 PM

i don't think we need another column without the domain, i agree that it's easy enough to strip.

i'm still curious what you think the right behavior should be when it's fed an e-mail address with a mixed-case localpart. does it show the downcased version on output? what decisions are you makng about how the downcasing should be performed for non-ASCII characters (e.g. in turkish locale, I goes to "ı", whereas in en_US it downcases to "i"). It would certainly be nice to know what it's downcased to before hashing if you're trying to replicate it.

Because the rules for downcasing are way to complicate to yield any stable result, the I-D requires that only ASCII acharacters are downcases, that is A-Z to a-z. Here is an example:

$ gpg-wks-client --print-wkd-hash WK@gnupg.org wk@gnupg.org wkä@gnupg.org wkÄ@gnupg.org
nq6t9teux7edsnwdksswydu4o9i5es3f wk@gnupg.org
nq6t9teux7edsnwdksswydu4o9i5es3f wk@gnupg.org
ks8jxythkpponzuf4pcczcd6sy8bmsiw wkä@gnupg.org
nkwed8tn9u984yhdkaewk5fq4czrhicr wkÄ@gnupg.org

BTW in 2.2.15 you can also do

$ gpg-wks-client --print-wkd-url WK@gnupg.org
https://openpgpkey.gnupg.org/.well-known/openpgpkey/gnupg.org/hu/nq6t9teux7edsnwdksswydu4o9i5es3f?l=wk

Which is convenient of you want to add a link to your key into some document.

werner closed this task as Resolved.Mar 27 2019, 11:10 AM
werner claimed this task.