Web Key Directory related
Aug 7 2020
Apr 9 2020
thanks a lot dkg and werner :)
Mar 30 2020
Done; will go into 2.2.21 (T4897).
Mar 23 2020
Feb 6 2020
Feb 5 2020
Jan 14 2020
Thank you for resolving this issue! I am successfully using version 2.2.19 from the gnupg (2.2.19-1~bpo10+1) package of Debian Backports.
Dec 17 2019
Dec 4 2019
Fixed for 2.2.19 and master
Nov 23 2019
Nov 16 2019
Given that the the angle brackets are elsewhere used to indicate a search by mail address, it would be okay to allow for them in this case too (that is dkg's second example). The risk of a regression in that case is pretty low.
Nov 7 2019
does a remote key lookup only if STRING is a valid addr-spec. No extraction of the addr-spec from STRING is done and thus angle brackets inhibit the use of a remote lookup. This was implemented in this way to be as much as possible backward compatible.
Oct 28 2019
Oct 24 2019
@werner, you seem to be saying that -r does not imply "key lookups on remote services". Is that correct?
Oct 23 2019
This is a misunderstanding. The extraction of mail addresses is only doe for key lookups on remote services. Thus the -r case is as intended.
Is this task maybe related to T1927?
Sep 2 2019
Aug 21 2019
This was also raised for (hopefully) wider discussion on the IETF mailing list.
Aug 20 2019
Jul 5 2019
Done for master and 2.2.
Jul 4 2019
Fix will be in 2.2.17
Jul 3 2019
@dkg I believe @aheinecke gave the GpgOL description just as an example of why WKD-first retrieval would be beneficial (for details of that see https://wiki.gnupg.org/AutomatedEncryption#Trust_Levels) and I believe this ticket is a follow-up to my question on gnupg-devel ML: https://lists.gnupg.org/pipermail/gnupg-devel/2019-June/034372.html
auto-key-retrieve happens in the context of signature verification when the certificate is missing. If no signer User ID subpacket is present in the signature, then WKD simply won't work.
I did some manual tests using netcat and KS_FETCH to test the redirection.
I think you're suggesting accepting *any* path if the hostname of the proposed redirection matches openpgpkey.example.org when querying the WKD direct URL for an @example.org address. That would also be a fine solution from my point of view.
I head the same idea when I read your configuration. Given that the advanced lookup was not reallydeployed (see T4590) I also expect that we will receive complains now that it works. Thus white listing any "openpgpkey." seems to me a reasonable easy solution.