|
Size: 3711
Comment: Better phrasing, formatting. Small update: draft 04. Mentiong small orgs.
|
← Revision 99 as of 2025-02-20 08:33:59 ⇥
Size: 10347
Comment: + second online checker
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = Much easier Email crypto, by fetching pubkey via HTTPS | <<TableOfContents(2)>> |
| Line 3: | Line 3: |
| == How does it work? As an email user, you just select the recipient(s) and can see that the email will be encrypted. |
== What is a Web Key Directory? |
| Line 6: | Line 5: |
| If you and your peers use email-providers offering this "web key service", it works by the first email. Otherwise encryption will start after you have exchanged some emails. |
A Web Key Directory (WKD) provides an easy way to provide and get the current public key for a given email address through H~T~T~P~S. Thus it is infrastructure **to improve the user experience for exchanging secure emails and files**. Because the email address is needed to ask for a public key, using a Web Key Directory preserves the privacy of this address. If a public key is found, it can be used to encrypt to the email address right away. == for Users * Explanations: [[/forUsers]] * Usage: See section [[https://wiki.gnupg.org/WKD#Implementations|Implementations]] == How does an email client use WKD? # A user selects a recipient for an email. # The email client uses the domain part of the email address to construct which server to ask. # HTT~PS is used to get the current public key. # The email client is ready to encrypt and send now. An example: {{{https://intevation.de/.well-known/openpgpkey/hu/it5sewh54rxz33fwmr8u6dy4bbz8itz4?l=bernhard.reiter}}} is the //direct method// URL for "bernhard.reiter@intevation.de". {{{gpg-wks-client}}} command can be used to generate wkd hash or wkd url for any email address, though it seems to prefer the subdomain method url over direct url. {{{ $ gpg-wks-client --print-wkd-hash bernhard.reiter@intevation.de it5sewh54rxz33fwmr8u6dy4bbz8itz4 bernhard.reiter@intevation.de }}} {{{ $ gpg-wks-client --print-wkd-url bernhard.reiter@intevation.de https://openpgpkey.intevation.de/.well-known/openpgpkey/intevation.de/hu/it5sewh54rxz33fwmr8u6dy4bbz8itz4?l=bernhard.reiter }}} |
| Line 10: | Line 43: |
| Technically your email client will automatically * prepare for this by creating a crypto key for you and uploading it to your provider (or second best to public keyservers). * sign all emails so others see that you are ready for crypto (unless you opt out) * ask the mail provider of your recipients for their pubkeys. |
== What does it mean for users? |
| Line 16: | Line 45: |
| An email-provider supporting privacy can * provide a pubkey for users via ~HT~TPS, called "web key directory" (WKD). * allow each user's email client to automatically manage the pubkey that gets published by email, called "web key service" (WKS). |
A user just selects the recipients of a message and by default the encryption state of that mail will toggle if encryption keys can be found for all of them. |
| Line 21: | Line 49: |
| [[https://files.intevation.de/users/aheinecke/wkd-autoencrypt.gif|Example from Gpg4win / GpgOL]] | |
| Line 22: | Line 51: |
| == Details / Discussion | For a basic level of security the user does **not need to check a fingerprint** or do any key management manually. |
| Line 24: | Line 54: |
| **[[EasyGpg2016/PubkeyDistributionConcept|Pubkey Distribution Concept]] <- the (technical) details** | == How to set it up? |
| Line 26: | Line 56: |
| * 2016-09-08 ~OpenPGP.conf presentation by Werner Koch: [[https://www.openpgp-conf.org/program.html#werner|Abstract]] [[https://www.openpgp-conf.org/2016/openpgp-2016-simple-key-discovery.pdf|Slides.PDF]] * 2016-09-08 ~OpenPGP.conf presentation by Bernhard Reiter, pages 21-24 [[https://www.intevation.de/~bernhard/presentations/201609-openpgpconf/20160908-3bsi-contracts.odp|Slides.ODP]] [[https://www.intevation.de/~bernhard/presentations/201609-openpgpconf/20160908-3bsi-contracts.pdf|Slides.PDF]] * 2016-09-09 //[[http://www.golem.de/news/web-key-service-openpgp-schluessel-ueber-https-verteilen-1609-123194.html|OpenPGP-Schlüssel über HTTPS verteilen]]// Golem news by Hanno Böck * 2016-09-11 //[[https://www.heise.de/newsticker/meldung/Spezifikation-fuer-die-Verteilung-von-OpenPGP-Keys-per-HTTPS-veroeffentlicht-3317914.html|Spezifikation für die Verteilung von OpenPGP-Keys per HTTPS veröffentlicht]]// Heise news by Johannes Merkert * 2016-09-11 //[[http://lists.gnupg.org/pipermail/gnupg-de/2016-September/000547.html|Anmerkungen zum Web Key Service]]// gnupg-de@ by Werner Koch * 2017-07-28 Draft 04 of the specs published (see details page linked above). |
If you want to set up a Web Key Directory for your own server or your own server you only need access to a webserver for your domain. See: WKDHosting |
| Line 39: | Line 59: |
| The elaborated proposal is a result of the EasyGpg2016 contract. | For a larger organization it is recommended to set up a complete Web Key Service, which will help to automate Web Key Directory publishing. === Stopgap method - temporary central keyserver Not recommended - but a temporary workaround - is to use "WKD~aaS" and delegate delivery of your pubkey to a central service. Doing this you'll expose all people that want to use crypto when communication with you towards another party of the central service or monitoring the central service. This third party can then see the communication pattern. However this maybe a temporary solution until you will convince your mail provider to enable at least the WKD serving part or to switch to a more privacy aware mail provider. One service is keys.openpgp.org, where you can set the ~C~N~A~M~E record of the "openpgpkey" subdomainto "wkd.keys.openpgp.org" the CNAME entry should look like this. {{{ openpgpkey.example.org. 300 IN CNAME wkd.keys.openpgp.org. }}} In addition you need to register your pubkey with them. Other drawbacks: * As any WKD service, they'll be able to serve a different pubkey to some domains at some time, however opposed to your email provider you do not have a contractual relationship with them. * Elder Gnu~PGs like the some on Debian Stretch do not offer the necessary modern WKD implementation for a successful request, so you are reaching less communication partners with this compared to real WKD. * (For the overall ecosystem, we need more decentral services instead, it is at the core of Open~PGP security promise. So you are missing to set a good example. ;) ) == Web Key Directory (WKD) / Web Key Service (WKS) what is the difference? The Web Key Directory is the H~T~T~P~S directory from which keys can be fetched. The Web Key Service is a tool / protocol to automatically publish and update keys in the Web Key Directory. It is **optional** to reduce the administrative effort of a Web Key Directory. Documentation how to set up a Web Key Service can be found on the [[WKS|Web Key Service page]]. == Technical Details You can find the concepts / technical details under WKDDetails. Trust and security considerations are outlined as part of the AutomatedEncryption concept. === Troubleshooting If you have arrived here after receiving an email saying: {{{ The web page https://gnupg.org/faq/wkd.html explains how you can process this message anyway in a few manual steps. }}} you can find further instructions at WKSManualConfirmation. |
| Line 43: | Line 119: |
| === Current GnuPG 2.2 * WKD lookup since v2.1.12, enabled by default since 2.1.23. Widespread rollout in 2017 because the old GnuPG 2.0 is scheduled end-of-life December 2017. |
=== GnuPG * WKD lookup is implemented in GnuPG since v2.1.12. It is enabled by default since 2.1.23. ** Use {{{gpg --locate-external-keys user@example.com}}} to fetch Open~PGP-Keys via WKD. * WKS server and client tools are part of GnuPG since v2.1.14 |
| Line 47: | Line 124: |
| * WKS server and client tools since GnuPG v2.1.14 which may help some providers (especially smaller ones) see the [[WKS|Web Key Service page]]. |
=== Mail Clients |
| Line 50: | Line 126: |
| === Mail User Agents (Note that mail users agents using a modern GnuPG 2.2 will automatically do WKD requests via GnuPG. So they are WKD ready.) |
Any mail client which uses the {{{--locate-keys}}} option of GnuPG will automatically do WKD requests. |
| Line 54: | Line 129: |
| ==== Automatic pubkey bootstrapping (using the Web Key Service) * basic (pre-release) Kontact Mail/KMail support (part of EasyGpg2016) * basic (pre-release) Thunderbird/Enigmail support (part of EasyGpg2016) * active consideration in planning for mutt * active consideration in planning for GpgOL (Gpg4win's Outlook Plugin) |
Known mail clients with WKD Support: * Desktop: ** Thunderbird/[[https://www.enigmail.net/index.php/en/download/changelog|Enigmail 2.0]] ** KMail since Version 5.6 ** Outlook with GpgOL since Version 2.2.0 ** Claws Mail since [[https://www.claws-mail.org/news.php|3.18.0 / 4.0.0]] ** Balsa has no official release - which is supporting WKD - yet but the feature was [[https://gitlab.gnome.org/GNOME/balsa/-/commit/03272a0e053002c7b5cf53d3dc8f87229b8552a4|merged]] into the main branch * Browser-Extensions: ** Mailvelope since Version 3.0.0 (Dez 2018) * Android: ** [[https://k9mail.app/|K9Mail]] with OpenKeyChain since Version 5.1 (Jun 2018) ** [[https://email.faircode.eu/|FairEmail]] with OpenKeyChain since OpenKeyChain 5.4 ([[https://github.com/M66B/FairEmail/blob/master/FAQ.md#user-content-faq12|FAQ, (12) How does encryption/decryption work?]]) |
| Line 60: | Line 142: |
| === Mail Service Providers * [[https://posteo.de/en/|Posteo]] offers web key directory lookup and service for {{{@posteo.de}}}-addresses (Since 2016-12) * (gnupg.org) Testing accounts by request for developers implementing WKS in Free Software ~MUAs. * (Several smaller organisations. Like - unsurprisingly - g10code.com and intevation.de. //Let us know if you want to be publically listed.//) |
[[/DistributionOfWKD|Progress of WKD]] in different mail clients |
| Line 67: | Line 144: |
| ==== WKD stand-a-lone (without WKS) * [[WKDHosting|wks-tools]] helps to publish a single pubkeyring via static ~H~TTPS. |
Known mail clients with WKS Support: * Thunderbird/[[https://www.enigmail.net/index.php/en/download/changelog|Enigmail 2.0]] * KMail since Version 5.6 * Outlook with GpgOL (basic, pre-release) since Version 2.2.1 asyGpg2016) === Self-hosted email setups offering WKD + WKS: * [[https://github.com/vedetta-com/caesonia/|caesonia - OpenBSD email service]]. * [[https://github.com/Excision-Mail/Excision-Mail/| Excision Mail - OpenBSD email service using ansible]]: Has multiple-domain WKS support. * [[https://github.com/systemli/userli|Userli - Web application to (self-) manage e-mail users and encrypt their mailboxes.]]. === Online checkers (external services, your mileage my wary) * [[https://WebKeyDirectory.com|WebKeyDirectory.com]] (source code not public, and some recommendations differ a bit from the specification (2025-02-19)) * [[https://wkd.chimbosonic.com/|wkd.chimbosonic.com]] (source code at https://github.com/chimbosonic/wkd-tester ) === Mail Service Providers offering WKD * [[https://forwardemail.net/faq#do-you-support-openpgpmime-end-to-end-encryption-e2ee-and-web-key-directory-wkd|Forward Email]] has WKD support for inbound, outbound, and forwarded mail. (**Since 2023-12-27**) * [[https://posteo.de/en/|Posteo]] offers web key directory lookup and service for {{{@posteo.de}}}-addresses (**Since 2016-12**) ** [[https://posteo.de/en/help/publishing-public-pgp-key-for-posteo-email-address|How do I publish the public PGP key for my Posteo email address in the Posteo key directory?]] * [[https://protonmail.com|Protonmail]] supports web key directory lookup (**Since ~2018-11**) in [[https://protonmail.com/blog/security-updates-2019/|both ways]]. * [[https://netzguerilla.net|netzguerilla]] offers web key directory lookup. (**Since 2017-10-11**) * [[https://systemli.org|systemli.org]] offers web key directory lookup and service for all hosted domains (**Since 2020-10-15**) * [[https://mailbox.org/en/|mailbox.org]] **claims** to offer web key directory lookup ** See announcement https://mailbox.org/en/post/the-keyserver-is-dead-long-live-the-keyserver 2019 ** In the forum in 2021 a question (German) was asked when WKD would be offered. The thread was deleted but you can find it via the Internet Archive: https://web.archive.org/web/20211019060747/https://userforum.mailbox.org/topic/wann-wird-ein-web-key-directory-wkd-angeboten ** At least the Open~PGP key for the [[https://mailbox.org/de/impressum|privacy mail address]] of mailbox.org can be found via: *** Direct Method: https://mailbox.org/.well-known/openpgpkey/hu/15siaihjsf4kyfkzxrqe7r5gqqzr5f39?l=privacy *** Advanced Method: https://openpgpkey.mailbox.org/.well-known/openpgpkey/mailbox.org/hu/15siaihjsf4kyfkzxrqe7r5gqqzr5f39?l=privacy ** The command {{{ gpg-wks-client --with-colons --supported mailbox.org }}} also gives a positive result * [[https://mail.de/|mail.de]] maintains a WKD server (Screenshot: [[attachment:mailde_wkd.png]]) * [[https://mailfence.com/|Mailfence]] supports web key directory lookup (**Since ~2021-11-18**) in [[https://blog.mailfence.com/improving-security/|both ways]]. === Organizations using WKD * [[https://www.c3s.cc|C3S]] * [[https://www.credativ.de/blog/aktuelles/credativde-pgp-schluessel-ueber-wkd-abrufen/|Credativ GmbH, DE]] * [[https://www.debian.org|debian.org]] * [[https://gentoo.org|gentoo.org]] * [[https://gnupg.org|gnupg.org]] (Testing accounts available for developers implementing WKD in ~MUAs.) * [[https://kdab.com|KDAB.com]] * [[https://kernel.org|kernel.org]] * [[https://nikkasystems.com|Nikka Systems]] * [[https://www.occrp.org|occrp.org]] * [[https://www.torproject.org|torproject.org]] * [[https://f-droid.org|f-droid.org]] * [[https://guardianproject.info|guardianproject.info]] * [[https://www.privacyguides.org|privacyguides.org]] * [[https://univention.de/wkd/|Univention GmbH]] * (Several unlisted organisations. And of course the main designers of WKD - g10code.com, intevation.de.) (//Add yourself or let us know if you want to be publicly listed.//) == Misc * [[/BachelorThesisIncreaseWKDUsage2021|Bachelor thesis: How to increase the usage of WKD? (2021, Christoph Klassen)]] |
Contents
What is a Web Key Directory?
A Web Key Directory (WKD) provides an easy way to provide and get the current public key for a given email address through HTTPS. Thus it is infrastructure to improve the user experience for exchanging secure emails and files.
Because the email address is needed to ask for a public key, using a Web Key Directory preserves the privacy of this address. If a public key is found, it can be used to encrypt to the email address right away.
for Users
- Explanations: /forUsers
- Usage: See section Implementations
How does an email client use WKD?
- A user selects a recipient for an email.
- The email client uses the domain part of the email address to construct which server to ask.
- HTTPS is used to get the current public key.
- The email client is ready to encrypt and send now.
An example: https://intevation.de/.well-known/openpgpkey/hu/it5sewh54rxz33fwmr8u6dy4bbz8itz4?l=bernhard.reiter is the direct method URL for "bernhard.reiter@intevation.de".
gpg-wks-client command can be used to generate wkd hash or wkd url for any email address, though it seems to prefer the subdomain method url over direct url.
$ gpg-wks-client --print-wkd-hash bernhard.reiter@intevation.de it5sewh54rxz33fwmr8u6dy4bbz8itz4 bernhard.reiter@intevation.de
$ gpg-wks-client --print-wkd-url bernhard.reiter@intevation.de https://openpgpkey.intevation.de/.well-known/openpgpkey/intevation.de/hu/it5sewh54rxz33fwmr8u6dy4bbz8itz4?l=bernhard.reiter
What does it mean for users?
A user just selects the recipients of a message and by default the encryption state of that mail will toggle if encryption keys can be found for all of them.
For a basic level of security the user does not need to check a fingerprint or do any key management manually.
How to set it up?
If you want to set up a Web Key Directory for your own server or your own server you only need access to a webserver for your domain. See: WKDHosting
For a larger organization it is recommended to set up a complete Web Key Service, which will help to automate Web Key Directory publishing.
Stopgap method - temporary central keyserver
Not recommended - but a temporary workaround - is to use "WKDaaS" and delegate delivery of your pubkey to a central service. Doing this you'll expose all people that want to use crypto when communication with you towards another party of the central service or monitoring the central service. This third party can then see the communication pattern.
However this maybe a temporary solution until you will convince your mail provider to enable at least the WKD serving part or to switch to a more privacy aware mail provider.
One service is keys.openpgp.org, where you can set the CNAME record of the "openpgpkey" subdomainto "wkd.keys.openpgp.org" the CNAME entry should look like this.
openpgpkey.example.org. 300 IN CNAME wkd.keys.openpgp.org.
In addition you need to register your pubkey with them.
Other drawbacks:
- As any WKD service, they'll be able to serve a different pubkey to some domains at some time, however opposed to your email provider you do not have a contractual relationship with them.
- Elder GnuPGs like the some on Debian Stretch do not offer the necessary modern WKD implementation for a successful request, so you are reaching less communication partners with this compared to real WKD.
- (For the overall ecosystem, we need more decentral services instead, it is at the core of OpenPGP security promise. So you are missing to set a good example. ;) )
Web Key Directory (WKD) / Web Key Service (WKS) what is the difference?
The Web Key Directory is the HTTPS directory from which keys can be fetched.
The Web Key Service is a tool / protocol to automatically publish and update keys in the Web Key Directory. It is optional to reduce the administrative effort of a Web Key Directory.
Documentation how to set up a Web Key Service can be found on the Web Key Service page.
Technical Details
You can find the concepts / technical details under WKDDetails.
Trust and security considerations are outlined as part of the AutomatedEncryption concept.
Troubleshooting
If you have arrived here after receiving an email saying:
The web page
https://gnupg.org/faq/wkd.html
explains how you can process this message anyway in
a few manual steps.you can find further instructions at WKSManualConfirmation.
Implementations
GnuPG
- WKD lookup is implemented in GnuPG since v2.1.12. It is enabled by default since 2.1.23.
- Use gpg --locate-external-keys user@example.com to fetch OpenPGP-Keys via WKD.
- WKS server and client tools are part of GnuPG since v2.1.14
Mail Clients
Any mail client which uses the --locate-keys option of GnuPG will automatically do WKD requests.
Known mail clients with WKD Support:
- Desktop:
- Thunderbird/Enigmail 2.0
- KMail since Version 5.6
- Outlook with GpgOL since Version 2.2.0
- Claws Mail since 3.18.0 / 4.0.0
- Balsa has no official release - which is supporting WKD - yet but the feature was merged into the main branch
- Browser-Extensions:
- Mailvelope since Version 3.0.0 (Dez 2018)
- Android:
- K9Mail with OpenKeyChain since Version 5.1 (Jun 2018)
- FairEmail with OpenKeyChain since OpenKeyChain 5.4 (FAQ, (12) How does encryption/decryption work?)
Progress of WKD in different mail clients
Known mail clients with WKS Support:
- Thunderbird/Enigmail 2.0
- KMail since Version 5.6
- Outlook with GpgOL (basic, pre-release) since Version 2.2.1 asyGpg2016)
Self-hosted email setups offering WKD + WKS:
- caesonia - OpenBSD email service.
- Excision Mail - OpenBSD email service using ansible: Has multiple-domain WKS support.
- Userli - Web application to (self-) manage e-mail users and encrypt their mailboxes..
Online checkers
(external services, your mileage my wary)
- WebKeyDirectory.com (source code not public, and some recommendations differ a bit from the specification (2025-02-19))
- wkd.chimbosonic.com (source code at https://github.com/chimbosonic/wkd-tester )
Mail Service Providers offering WKD
- Forward Email has WKD support for inbound, outbound, and forwarded mail. (Since 2023-12-27)
- Posteo offers web key directory lookup and service for @posteo.de-addresses (Since 2016-12)
- Protonmail supports web key directory lookup (Since 2018-11) in both ways.
- netzguerilla offers web key directory lookup. (Since 2017-10-11)
- systemli.org offers web key directory lookup and service for all hosted domains (Since 2020-10-15)
- mailbox.org claims to offer web key directory lookup
- See announcement https://mailbox.org/en/post/the-keyserver-is-dead-long-live-the-keyserver 2019
- In the forum in 2021 a question (German) was asked when WKD would be offered. The thread was deleted but you can find it via the Internet Archive: https://web.archive.org/web/20211019060747/https://userforum.mailbox.org/topic/wann-wird-ein-web-key-directory-wkd-angeboten
- At least the OpenPGP key for the privacy mail address of mailbox.org can be found via:
- The command gpg-wks-client --with-colons --supported mailbox.org also gives a positive result
- mail.de maintains a WKD server (Screenshot: attachment:mailde_wkd.png)
- Mailfence supports web key directory lookup (Since 2021-11-18) in both ways.
Organizations using WKD
- C3S
- Credativ GmbH, DE
- debian.org
- gentoo.org
- gnupg.org (Testing accounts available for developers implementing WKD in MUAs.)
- KDAB.com
- kernel.org
- Nikka Systems
- occrp.org
- torproject.org
- f-droid.org
- guardianproject.info
- privacyguides.org
- Univention GmbH
- (Several unlisted organisations. And of course the main designers of WKD - g10code.com, intevation.de.)
(Add yourself or let us know if you want to be publicly listed.)