Size: 4905
Comment: Link Makefile and generate-openpgpkey-hu script from external repo
|
Size: 3156
Comment: crosslink faq entry
|
Deletions are marked like this. | Additions are marked like this. |
Line 3: | Line 3: |
<<TableOfContents(3)>> | |
Line 45: | Line 44: |
* WKD lookup experimental since v2.1.12 * WKS server and client experimental tools since v2.1.14, |
* WKD lookup since v2.1.12 * WKS server and client tools since v2.1.14, |
Line 48: | Line 47: |
<<FootNote(The server sends message pointing to https://gnupg.org/faq/wkd.html)>> | |
Line 54: | Line 54: |
* (planned for Sep/Okt 2016) [[https://posteo.de/en/|Posteo]] offering full implementation of "web key service". Posteo already implemented provisioning of pubkeys via HT~TPS. |
* [[https://posteo.de/en/|Posteo]] offers web key directory lookup and service. (Since 2016-12) |
Line 59: | Line 57: |
== Hosting a Web Key Directory Ideally a Web Key Directory will be created and maintained through a Web Key Service but organisations or individuals may want to just host a Web Key Directory without a Web Key Service.: === Requirements * A web server that provides https with a trusted certificate. * A client machine with python and pyme installed (debian package python-pyme) * The script: [[https://hg.intevation.de/gnupg/wkd-tools/raw-file/default/generate-openpgpkey-hu|generate-openpgpkey-hu]] === Usage You can either export all the keys in your keyring which belong to a domain or provide an explicit keyring containing the keys you want to publish. The call: {{{ ./generate-openpgpkey-hu example.com hu }}} Will create a directory called hu containing all the keys with @example.com mail addresses. If there are multiple valid keys for a user in your keyring this command will error out. In that case you can prepare a keyring with only the keys you want to publish. e.g.: {{{ gpg --export 94A5C9A03C2FE5CA3B095D8E1FDF723CF462B6B1 | \ gpg --no-default-keyring --keyring ./wkd-keyring.gpg --import }}} And then provide that keyring to generate-openpgpkey-hu: {{{ ./generate-openpgpkey-hu example.com hu wkd-keyring.gpg }}} === Publishing The hu directory has to be published on your server as {{{https://example.com/.well-known/openpgpkey/hu/}}} On your server create the according directory and set the permissions according to your system. This example [[https://hg.intevation.de/gnupg/wkd-tools/raw-file/default/Makefile.example|Makefile]] automates the hu directory generation and publishing. Edit the variables at the top of the makefile to your {{{RSYNC_TARGET}}} The {{{KEYRING}}} variable is optional and can be empty. |
=== WKD stand-a-lone (without WKS) * [[WKDHosting|wks-tools]] helps to publish a single pubkeyring via static HTTPS. |
Much easier Email crypto, by fetching pubkey via HTTPS
How does it work?
As an email user, you just select the recipient(s) and can see that the email will be encrypted.
If you and your peers use email-providers offering this "web key service", it works by the first email. Otherwise encryption will start after you have exchanged some emails.
Technically your email client will automatically
- prepare for this by creating a crypto key for you and uploading it to your provider (or second best to public keyservers).
- sign all emails so others see that you are ready for crypto (unless you opt out)
- ask the mail provider of your recipients for their pubkeys.
An email-provider offering the "web key service" technically has to
- provide a pubkey for users via HTTPS
- allow each user's email client to automatically manage the pubkey that gets published by email.
Details / Discussion of the proposal
Pubkey Distribution Concept <- the (technical) details
- 2016-09-08 OpenPGP.conf presentation by Werner Koch: Abstract Slides.PDF
- 2016-09-08 OpenPGP.conf presentation by Bernhard Reiter, pages 21-24 Slides.ODP Slides.PDF
- 2016-09-09 OpenPGP-Schlüssel über HTTPS verteilen Golem news by Hanno Böck
- 2016-09-11 Spezifikation für die Verteilung von OpenPGP-Keys per HTTPS veröffentlicht Heise news by Johannes Merkert
- 2016-09-11 Anmerkungen zum Web Key Service gnupg-de@ by Werner Koch
- 2016-10-05 Draft 02 of the specs published (see details page linked above).
The elaborated proposal is a result of the EasyGpg2016 contract.
Implementations
GnuPG "modern"
- WKD lookup since v2.1.12
- WKS server and client tools since v2.1.14, see how to run them in GnuPG's blog from 2016-08-30 or the Web Key Service page. 1
Mail User Agents
- planned Kontact Mail/KMail support (part of EasyGpg2016)
- planned Thunderbird support (part of EasyGpg2016)
Mail Service Providers
- Posteo offers web key directory lookup and service. (Since 2016-12)
- (gnupg.org) Testing accounts by request for developers implementing WKS in Free Software MUAs.
WKD stand-a-lone (without WKS)
The server sends message pointing to https://gnupg.org/faq/wkd.html (1)