WKD/forUsers - GnuPG wiki

(Draft)

WKD makes using cryptography with emails (and files) easier for you and the people you exchange emails and files with.

For the best experience, you need an email client and an email provider that fully provide the functionality to you. As long as you are not there, you can still gain some of the benefits (while doing some work yourself.)

Security by cryptography?

The OpenPGP standard uses asymmetric cryptography. It can do two things:

Encrypt a message so only a few can read it.
Sign a message so that other can be sure who sent it.

If you want to encrypt something to somebody else, you need that person's OpenPGP public key (pubkey). And that person needs your public key to encrypt something in return.

If the other person wants to check that you wrote exactly what they see, they need your pubkey to verify a signature.

Ideally each person as (at least) one pair of keys consisting of a private key and a public key that belong together.

Looking up public keys of others

You can check your email client if it has the following features (in that order):

Can do WKD lookups when advised to.
Implements both the advanced and the direct method (of the current WKD spec).
Enabled by default.
(Advanced) Uses caching of lookups.
(Advanced) Uses other trust information sensibly.

If your email client cannot do it, you can still see if the used crypto engine can do a lookup manually.

Making sure others can get my public key.

Check that your email provider can:

Place your public key on their server (for the WKD lookup) somehow.
There are official instructions from the email provider for doing so.
Implementation is compatible with the current WKD spec.
(Advanced) Offer the proposed method so you can maintain which pubkey they publish with your email client (see WKS below).

If you are your own email provider, look into the methods how to implement WKD on the server side. It can be as as simple as just placing the right files in the folder to be served.

Web key service (WKS)

The WKD specification includes a standard way called "Web Key Service" to manage the public key that your email provider offers via WKD. It uses emails, so email clients can implement it.

So in addition to the email provider offering it, your email client can offer:

(Advanced) Offer handling of WKS for submitting and changing your own public key with the email provider
(Advanced) Does periodically check if the offered pubkey for your own email address is the right one.

If your email client does not provide this, you can try some manual methods to create the necessary emails.

Scope: Explain WKD from the user perspective. Show which features to look for with email clients and providers.