|
Size: 2176
Comment: Added date and description to links. Useful as is, so "under construction sign" removed.
|
Size: 3872
Comment: Cleanup and structure page
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = Proposal to distribute pubkeys via HTTPS to make Email crypto much easier. | <<TableOfContents(2)>> == What is a Web Key Directory? Web Key Directories provide an easy way to discover public keys through H~T~T~P~S. In contrast to the public keyservers a Web Key Directory does not publish mail addresses. And is an authoritative key source for it's domain. |
| Line 4: | Line 11: |
| As email user, you just select the recipient(s) and can see that the email will be encrypted. | |
| Line 6: | Line 12: |
| If you and your peers use email-providers offering this "web key service", it works with the first email. Otherwise encryption will start after you have exchanged some emails. |
# The senders mail client (through GnuPG) checks a "well known" U~R~L on the domain of the recipient. # If a key is available for that address it an be downloaded via H~T~T~P~S. # The downloaded key can now be used for automatic encryption. Such an URL looks like: {{{https://intevation.de/.well-known/openpgpkey/hu/g8td9rsyatrazsoiho37j9n3g5ypp34h}}} for the mail address "aheinecke@intevation.de" == What does it mean for users? A user just selects the recipients of a message and by default the encryption state of that mail will toggle if all recipients can be found in a Web Key Directory. [[https://files.intevation.de/users/aheinecke/wkd-autoencrypt.gif|Example from Gpg4win / GpgOL]] For a basic level of security the user does **not need to check a fingerprint** or do any key management manually. == How to set it up? If you want to set up a Web Key Directory for your organisation you can find documentation in this wiki. You only need access to a webserver for your domain. See: WKDHosting For a larger organisation it is recommended to set up a complete Web Key Service, which will help to automate Web Key Directory publishing. |
| Line 10: | Line 41: |
| Technically your email client will * prepare for this by creating a crypto key for you and either send it to your provider by email or to public keyservers. * sign all emails so others see your pubkey (unless you opt out) * ask the mail provider of your recipients for their pubkeys. |
== Web Key Directory (WKD) / Web Key Service (WKS) what is the difference? |
| Line 16: | Line 43: |
| An email-provider offering "web key service" will technically: * provide a pubkey for each user via ~HT~TPS * allow each user's email client to automatically manage the pubkey that gets published by email. |
The Web Key Directory is the H~T~T~P~S directory from which keys can be fetched. |
| Line 20: | Line 45: |
| == Details / Discussion | The Web Key Service is a tool / protocol to automatically publish and update keys in the Web Key Directory. It is **optional** to reduce the administrative effort of a Web Key Directory. |
| Line 22: | Line 49: |
| Documentation how to set up a Web Key Service can be found on the [[WKS|Web Key Service page]]. | |
| Line 23: | Line 51: |
| * [[EasyGpg2016/PubkeyDistributionConcept]] <- the (technical) details * 2016-09-08 ~OpenPGP.conf presentation by Werner Koch: [[https://www.openpgp-conf.org/program.html#werner|Abstract]] [[https://www.openpgp-conf.org/2016/openpgp-2016-simple-key-discovery.pdf|Slides.PDF]] * 2016-09-08 ~OpenPGP.conf presentation by Bernhard Reiter, pages 21-24 [[https://www.intevation.de/~bernhard/presentations/201609-openpgpconf/20160908-3bsi-contracts.odp|Slides.ODP]] [[https://www.intevation.de/~bernhard/presentations/201609-openpgpconf/20160908-3bsi-contracts.pdf|Slides.PDF]] * 2016-09-09 //[[http://www.golem.de/news/web-key-service-openpgp-schluessel-ueber-https-verteilen-1609-123194.html|OpenPGP-Schlüssel über HTTPS verteilen]]// Golem news by Hanno Böck * 2016-09-11 [[https://www.heise.de/newsticker/meldung/Spezifikation-fuer-die-Verteilung-von-OpenPGP-Keys-per-HTTPS-veroeffentlicht-3317914.html|Spezifikation für die Verteilung von OpenPGP-Keys per HTTPS veröffentlicht//]] Heise news by Johannes Merkert * 2016-09-11 //[[http://lists.gnupg.org/pipermail/gnupg-de/2016-September/000547.html|Anwerkungen zum Web Key Service]]// gnupg-de@ by Werner Koch |
== Technical Details |
| Line 36: | Line 53: |
| The elaborated proposal is a result of the EasyGpg2016 contract. | You can find the concepts / technical details under WKDDetails. Trust and security considerations are outlined as part of the AutomatedEncryption concept. == Implementations === GnuPG * WKD lookup is implemented in GnuPG since v2.1.12. It is enabled by default since 2.1.23.. * WKS server and client tools are part of GnuPG since v2.1.14 === Mail Clients Any mail client which uses the {{{--locate-keys}}} option of GnuPG will automatically do WKD requests. Known mail clients with WKD Support: * Thunderbird/[[https://www.enigmail.net/index.php/en/download/changelog|Enigmail 2.0]] * KMail since Version 5.6 * Outlook with GpgOL since Version 2.2.0 Known mail clients with WKS Support: * Thunderbird/[[https://www.enigmail.net/index.php/en/download/changelog|Enigmail 2.0]] * KMail since Version 5.6 * Outlook with GpgOL (basic, pre-release) since Version 2.2.1 asyGpg2016) === Mail Service Providers offering WKD * [[https://posteo.de/en/|Posteo]] offers web key directory lookup and service for {{{@posteo.de}}}-addresses (**Since 2016-12**) * [[https://netzguerilla.net|netzguerilla]] offers web key directory lookup. (**Since 2017-10-11**) * [[https://mailbox.org/en/|mailbox.org]] **plans** to offer web key directory lookup in Q2 2018 (coming with [[https://knowledgebase.open-xchange.com/roadmap.html#21|OX Guard 2.10]]). * (Self)-hosted email servers that run [[https://github.com/vedetta-com/caesonia/|caesonia - an OpenBSD Email Service]] setup. === Organizations using WKD * [[https://www.cotech.de|cotech.de]] * [[https://kdab.com|KDAB.com]] * [[https://kernel.org|kernel.org]] * [[https://gnupg.org|gnupg.org]] (Testing accounts available for developers implementing WKD in ~MUAs.) * (Several smaller organizations. Like - unsurprisingly - g10code.com and intevation.de. //Let us know if you want to be publicly listed.//) |
Contents
What is a Web Key Directory?
Web Key Directories provide an easy way to discover public keys through HTTPS.
In contrast to the public keyservers a Web Key Directory does not publish mail addresses. And is an authoritative key source for it's domain.
How does it work?
- The senders mail client (through GnuPG) checks a "well known" URL on the domain of the recipient.
- If a key is available for that address it an be downloaded via HTTPS.
- The downloaded key can now be used for automatic encryption.
Such an URL looks like: https://intevation.de/.well-known/openpgpkey/hu/g8td9rsyatrazsoiho37j9n3g5ypp34h for the mail address "aheinecke@intevation.de"
What does it mean for users?
A user just selects the recipients of a message and by default the encryption state of that mail will toggle if all recipients can be found in a Web Key Directory.
For a basic level of security the user does not need to check a fingerprint or do any key management manually.
How to set it up?
If you want to set up a Web Key Directory for your organisation you can find documentation in this wiki. You only need access to a webserver for your domain. See: WKDHosting
For a larger organisation it is recommended to set up a complete Web Key Service, which will help to automate Web Key Directory publishing.
Web Key Directory (WKD) / Web Key Service (WKS) what is the difference?
The Web Key Directory is the HTTPS directory from which keys can be fetched.
The Web Key Service is a tool / protocol to automatically publish and update keys in the Web Key Directory. It is optional to reduce the administrative effort of a Web Key Directory.
Documentation how to set up a Web Key Service can be found on the Web Key Service page.
Technical Details
You can find the concepts / technical details under WKDDetails.
Trust and security considerations are outlined as part of the AutomatedEncryption concept.
Implementations
GnuPG
- WKD lookup is implemented in GnuPG since v2.1.12. It is enabled by default since 2.1.23..
- WKS server and client tools are part of GnuPG since v2.1.14
Mail Clients
Any mail client which uses the --locate-keys option of GnuPG will automatically do WKD requests.
Known mail clients with WKD Support:
- Thunderbird/Enigmail 2.0
- KMail since Version 5.6
- Outlook with GpgOL since Version 2.2.0
Known mail clients with WKS Support:
- Thunderbird/Enigmail 2.0
- KMail since Version 5.6
- Outlook with GpgOL (basic, pre-release) since Version 2.2.1 asyGpg2016)
Mail Service Providers offering WKD
- Posteo offers web key directory lookup and service for @posteo.de-addresses (Since 2016-12)
- netzguerilla offers web key directory lookup. (Since 2017-10-11)
- mailbox.org plans to offer web key directory lookup in Q2 2018 (coming with OX Guard 2.10).
- (Self)-hosted email servers that run caesonia - an OpenBSD Email Service setup.
Organizations using WKD
- cotech.de
- KDAB.com
- kernel.org
- gnupg.org (Testing accounts available for developers implementing WKD in MUAs.)
- (Several smaller organizations. Like - unsurprisingly - g10code.com and intevation.de. Let us know if you want to be publicly listed.)