diff --git a/misc/blog.gnupg.org/20170807-web-key-in-engimail.org b/misc/blog.gnupg.org/20170807-web-key-in-engimail.org deleted file mode 100644 index 7c9c3ba..0000000 --- a/misc/blog.gnupg.org/20170807-web-key-in-engimail.org +++ /dev/null @@ -1,20 +0,0 @@ -# Using the Web Key Service with Enigmail -#+STARTUP: showall -#+AUTHOR: Kai -#+DATE: August 7, 2017 - -** Using the Web Key Service with Enigmail - - Obtaining the key of someone has always being a major pain point of using GnuPG. OpenPGP doesn't "outsource" trust management by using a PKI. Instead it allows each user to decide whom to trust. This has the downside that we need to evaluate whenever we can trust a new key for each novel communication partner. Until recently there wasn't an automatic way to get the key of someone you never communicated with. - - The [[Web Key Service]](https://tools.ietf.org/id/draft-koch-openpgp-webkey-service-03.html) and the new ~--auto-key-retrieve~ & ~--auto-key-locate~ available in recent versions of GnuPG. - -*** Web Key Service - - The Web Key Service is a protocol to publish OpenPGP keys via mail and retrieve others keys using HTTPS. The advatage over HKPS is that every email provider maintains its own key server (called Web Key Directory, WKD) that is authorative for all its users. This means that, - - 1. There exists only one key server for a given email address. No need to ask multiple servers as with HKPS. - - 2. When publishing a key using mail, WKD makes sure the sender is in possesion of the secret key. - - 3. Mail providers can (and should) make sure diff --git a/misc/blog.gnupg.org/20170807-web-key-in-enigmail.org b/misc/blog.gnupg.org/20170807-web-key-in-enigmail.org new file mode 100644 index 0000000..a762c41 --- /dev/null +++ b/misc/blog.gnupg.org/20170807-web-key-in-enigmail.org @@ -0,0 +1,51 @@ +# Using the Web Key Service with Enigmail +#+STARTUP: showall +#+AUTHOR: Kai +#+DATE: August 7, 2017 + +** Using the Web Key Service with Enigmail + + Obtaining the public key of someone has always being a major pain point of using GnuPG. OpenPGP doesn't "outsource" trust management by using a PKI. Instead it allows each user to decide whom to trust. This has the downside that we need to evaluate whenever we can trust a new public key for each new communication partner. Until recently there wasn't an automatic way to get the public key of someone you never communicated with. + + The [[Web Key Service]](https://tools.ietf.org/id/draft-koch-openpgp-webkey-service-03.html) and the new ~--auto-key-retrieve~ & ~--auto-key-locate~ available in recent versions of GnuPG. + +*** Web Key Service + + The Web Key Service is a protocol to publish public OpenPGP keys via mail and retrieve others public keys using HTTPS. The advantage over HKPS is that every email provider maintains its own key server (called Web Key Directory, WKD) that is authoritative for all its users. This means that, + + 1. There exists only one key server for a given email address. No need to ask multiple servers as with HKPS. + + 2. When publishing a public key using mail, WKD makes sure the sender is in possession of the secret key. + + 3. Mail providers can (and should) make sure that only the owner of the mail account is able to publish a public key for it. + + Point three helps us with trust management. In case we trust the email provider of our communication partner we can trust the key retrieved by WKD more than one from an HKPS based key server. + + TODO: more detail & image + +*** Publish your public key to a Web Key Directory + + In order to use WKS you need a provider who supports it. After you configured the email account in Thunderbird you need to enable OpenPGP for it and generate a key pair. + TODO: image: enable opepgp & key gen + + Then, open the key management window and find your public key. Right clicking it opens the context menu. There, select the option to upload the public key to your providers WKD. + + TODO: image: key management context menu + + After submission the WKD will send a mail to you asking to confirm the publication request. The subject line and body copy can be defined by the WKD but Enigmail will display a yellow bar above the message announcing it is a confirmation request. Clicking the button on the right will send to confirmation mail to WKD. + + TODO: image: confirmation req. + + After the mail has been sent, your public key will be accessible to everybody. + +*** Receive others public key from a Web Key Directory + + Recent version of Enigmail receive missing public keys automatically form multiple sources, including WKD. Everybody who wants to send you an encrypted mail will be able to do so without finding you public key first. + + Because this is a bit anticlimactic but you can use the ~--auto-key-locate~ option to retrieve your own public key from the WKD to see whenever it worked. + + ~HOME=`mktemp -d` gpg2 --auto-key-locate wkd -e -r ~ + + If GnuPG is able to retrieve the public key you will see a line that looks like that: + + ~gpg: automatically retrieved '' via WKD~