= Much easier Email crypto, by fetching pubkey via HTTPS <> == How does it work? As an email user, you just select the recipient(s) and can see that the email will be encrypted. If you and your peers use email-providers offering this "web key service", it works by the first email. Otherwise encryption will start after you have exchanged some emails. Technically your email client will automatically * prepare for this by creating a crypto key for you and uploading it to your provider (or second best to public keyservers). * sign all emails so others see that you are ready for crypto (unless you opt out) * ask the mail provider of your recipients for their pubkeys. An email-provider offering the "web key service" technically has to * provide a pubkey for users via ~HT~TPS * allow each user's email client to automatically manage the pubkey that gets published by email. == Details / Discussion of the proposal **[[EasyGpg2016/PubkeyDistributionConcept|Pubkey Distribution Concept]] <- the (technical) details** * 2016-09-08 ~OpenPGP.conf presentation by Werner Koch: [[https://www.openpgp-conf.org/program.html#werner|Abstract]] [[https://www.openpgp-conf.org/2016/openpgp-2016-simple-key-discovery.pdf|Slides.PDF]] * 2016-09-08 ~OpenPGP.conf presentation by Bernhard Reiter, pages 21-24 [[https://www.intevation.de/~bernhard/presentations/201609-openpgpconf/20160908-3bsi-contracts.odp|Slides.ODP]] [[https://www.intevation.de/~bernhard/presentations/201609-openpgpconf/20160908-3bsi-contracts.pdf|Slides.PDF]] * 2016-09-09 //[[http://www.golem.de/news/web-key-service-openpgp-schluessel-ueber-https-verteilen-1609-123194.html|OpenPGP-Schlüssel über HTTPS verteilen]]// Golem news by Hanno Böck * 2016-09-11 //[[https://www.heise.de/newsticker/meldung/Spezifikation-fuer-die-Verteilung-von-OpenPGP-Keys-per-HTTPS-veroeffentlicht-3317914.html|Spezifikation für die Verteilung von OpenPGP-Keys per HTTPS veröffentlicht]]// Heise news by Johannes Merkert * 2016-09-11 //[[http://lists.gnupg.org/pipermail/gnupg-de/2016-September/000547.html|Anmerkungen zum Web Key Service]]// gnupg-de@ by Werner Koch * 2016-10-05 Draft 02 of the specs published (see details page linked above). The elaborated proposal is a result of the EasyGpg2016 contract. == Implementations === GnuPG "modern" * WKD lookup experimental since v2.1.12 * WKS server and client experimental tools since v2.1.14, see //[[https://gnupg.org/blog/20160830-web-key-service.html|how to run them in GnuPG's blog from 2016-08-30]]// or the [[WKS|Web Key Service page]]. === Mail User Agents * planned Kontact Mail/KMail support (part of EasyGpg2016) * planned Thunderbird support (part of EasyGpg2016) === Mail Service Providers * (planned for Sep/Okt 2016) [[https://posteo.de/en/|Posteo]] offering full implementation of "web key service". Posteo already implemented provisioning of pubkeys via HT~TPS. * (gnupg.org) Testing accounts by request for developers implementing WKS in Free Software MUAs. == Hosting a Web Key Directory Ideally a Web Key Directory will be created and maintained through a Web Key Service but organisations or individuals may want to just host a Web Key Directory without a Web Key Service.: === Requirements * A web server that provides https with a trusted certificate. * A client machine with python and pyme installed (debian package python-pyme) * The script: [[https://hg.intevation.de/gnupg/wkd-tools/raw-file/default/generate-openpgpkey-hu|generate-openpgpkey-hu]] === Usage You can either export all the keys in your keyring which belong to a domain or provide an explicit keyring containing the keys you want to publish. The call: {{{ ./generate-openpgpkey-hu example.com hu }}} Will create a directory called hu containing all the keys with @example.com mail addresses. If there are multiple valid keys for a user in your keyring this command will error out. In that case you can prepare a keyring with only the keys you want to publish. e.g.: {{{ gpg --export 94A5C9A03C2FE5CA3B095D8E1FDF723CF462B6B1 | \ gpg --no-default-keyring --keyring ./wkd-keyring.gpg --import }}} And then provide that keyring to generate-openpgpkey-hu: {{{ ./generate-openpgpkey-hu example.com hu wkd-keyring.gpg }}} === Publishing The hu directory has to be published on your server as {{{https://example.com/.well-known/openpgpkey/hu/}}} On your server create the according directory and set the permissions according to your system. This example [[https://hg.intevation.de/gnupg/wkd-tools/raw-file/default/Makefile.example|Makefile]] automates the hu directory generation and publishing. Edit the variables at the top of the makefile to your {{{RSYNC_TARGET}}} The {{{KEYRING}}} variable is optional and can be empty.