|
Size: 3809
Comment: Add Netzguerilla as WKD provider
|
Size: 3872
Comment: Cleanup and structure page
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = Much easier Email crypto, by fetching pubkey via HTTPS | <<TableOfContents(2)>> == What is a Web Key Directory? Web Key Directories provide an easy way to discover public keys through H~T~T~P~S. In contrast to the public keyservers a Web Key Directory does not publish mail addresses. And is an authoritative key source for it's domain. |
| Line 4: | Line 11: |
| As an email user, you just select the recipient(s) and can see that the email will be encrypted. | |
| Line 6: | Line 12: |
| If you and your peers use email-providers offering this "web key service", it works by the first email. Otherwise encryption will start after you have exchanged some emails. |
# The senders mail client (through GnuPG) checks a "well known" U~R~L on the domain of the recipient. # If a key is available for that address it an be downloaded via H~T~T~P~S. # The downloaded key can now be used for automatic encryption. Such an URL looks like: {{{https://intevation.de/.well-known/openpgpkey/hu/g8td9rsyatrazsoiho37j9n3g5ypp34h}}} for the mail address "aheinecke@intevation.de" == What does it mean for users? A user just selects the recipients of a message and by default the encryption state of that mail will toggle if all recipients can be found in a Web Key Directory. [[https://files.intevation.de/users/aheinecke/wkd-autoencrypt.gif|Example from Gpg4win / GpgOL]] For a basic level of security the user does **not need to check a fingerprint** or do any key management manually. == How to set it up? If you want to set up a Web Key Directory for your organisation you can find documentation in this wiki. You only need access to a webserver for your domain. See: WKDHosting For a larger organisation it is recommended to set up a complete Web Key Service, which will help to automate Web Key Directory publishing. |
| Line 10: | Line 41: |
| Technically your email client will automatically * prepare for this by creating a crypto key for you and uploading it to your provider (or second best to public keyservers). * sign all emails so others see that you are ready for crypto (unless you opt out) * ask the mail provider of your recipients for their pubkeys. |
== Web Key Directory (WKD) / Web Key Service (WKS) what is the difference? |
| Line 16: | Line 43: |
| An email-provider supporting privacy can * provide a pubkey for users via ~HT~TPS, called "web key directory" (WKD). * allow each user's email client to automatically manage the pubkey that gets published by email, called "web key service" (WKS). |
The Web Key Directory is the H~T~T~P~S directory from which keys can be fetched. |
| Line 21: | Line 45: |
| The Web Key Service is a tool / protocol to automatically publish and update keys in the Web Key Directory. It is **optional** to reduce the administrative effort of a Web Key Directory. |
|
| Line 22: | Line 49: |
| == Details / Discussion | Documentation how to set up a Web Key Service can be found on the [[WKS|Web Key Service page]]. |
| Line 24: | Line 51: |
| **[[EasyGpg2016/PubkeyDistributionConcept|Pubkey Distribution Concept]] <- the (technical) details** | == Technical Details |
| Line 26: | Line 53: |
| * 2016-09-08 ~OpenPGP.conf presentation by Werner Koch: [[https://www.openpgp-conf.org/program.html#werner|Abstract]] [[https://www.openpgp-conf.org/2016/openpgp-2016-simple-key-discovery.pdf|Slides.PDF]] * 2016-09-08 ~OpenPGP.conf presentation by Bernhard Reiter, pages 21-24 [[https://www.intevation.de/~bernhard/presentations/201609-openpgpconf/20160908-3bsi-contracts.odp|Slides.ODP]] [[https://www.intevation.de/~bernhard/presentations/201609-openpgpconf/20160908-3bsi-contracts.pdf|Slides.PDF]] * 2016-09-09 //[[http://www.golem.de/news/web-key-service-openpgp-schluessel-ueber-https-verteilen-1609-123194.html|OpenPGP-Schlüssel über HTTPS verteilen]]// Golem news by Hanno Böck * 2016-09-11 //[[https://www.heise.de/newsticker/meldung/Spezifikation-fuer-die-Verteilung-von-OpenPGP-Keys-per-HTTPS-veroeffentlicht-3317914.html|Spezifikation für die Verteilung von OpenPGP-Keys per HTTPS veröffentlicht]]// Heise news by Johannes Merkert * 2016-09-11 //[[http://lists.gnupg.org/pipermail/gnupg-de/2016-September/000547.html|Anmerkungen zum Web Key Service]]// gnupg-de@ by Werner Koch * 2017-07-28 Draft 04 of the specs published (see details page linked above). |
You can find the concepts / technical details under WKDDetails. |
| Line 39: | Line 55: |
| The elaborated proposal is a result of the EasyGpg2016 contract. | Trust and security considerations are outlined as part of the AutomatedEncryption concept. |
| Line 43: | Line 59: |
| === Current GnuPG 2.2 * WKD lookup since v2.1.12, enabled by default since 2.1.23. Widespread rollout in 2017 because the old GnuPG 2.0 is scheduled end-of-life December 2017. |
=== GnuPG * WKD lookup is implemented in GnuPG since v2.1.12. It is enabled by default since 2.1.23.. |
| Line 47: | Line 62: |
| * WKS server and client tools since GnuPG v2.1.14 which may help some providers (especially smaller ones) see the [[WKS|Web Key Service page]]. |
* WKS server and client tools are part of GnuPG since v2.1.14 |
| Line 50: | Line 64: |
| === Mail User Agents (Note that mail users agents using a modern GnuPG 2.2 will automatically do WKD requests via GnuPG. So they are WKD ready.) |
=== Mail Clients |
| Line 54: | Line 66: |
| ==== Automatic pubkey bootstrapping (using the Web Key Service) * basic (pre-release) Kontact Mail/KMail support (part of EasyGpg2016) * basic (pre-release) Thunderbird/Enigmail support (part of EasyGpg2016) * active consideration in planning for mutt * active consideration in planning for GpgOL (Gpg4win's Outlook Plugin) |
Any mail client which uses the {{{--locate-keys}}} option of GnuPG will automatically do WKD requests. |
| Line 60: | Line 69: |
| === Mail Service Providers | Known mail clients with WKD Support: * Thunderbird/[[https://www.enigmail.net/index.php/en/download/changelog|Enigmail 2.0]] * KMail since Version 5.6 * Outlook with GpgOL since Version 2.2.0 Known mail clients with WKS Support: * Thunderbird/[[https://www.enigmail.net/index.php/en/download/changelog|Enigmail 2.0]] * KMail since Version 5.6 * Outlook with GpgOL (basic, pre-release) since Version 2.2.1 asyGpg2016) === Mail Service Providers offering WKD |
| Line 62: | Line 82: |
| (Since 2016-12) * [[https://netzguerilla.net|netzguerilla]] offers web key directory lookup. (Since 2017-10-11) * (gnupg.org) Testing accounts by request for developers implementing WKS in Free Software ~MUAs. * (Several smaller organisations. Like - unsurprisingly - g10code.com and intevation.de. //Let us know if you want to be publically listed.//) |
(**Since 2016-12**) * [[https://netzguerilla.net|netzguerilla]] offers web key directory lookup. (**Since 2017-10-11**) * [[https://mailbox.org/en/|mailbox.org]] **plans** to offer web key directory lookup in Q2 2018 (coming with [[https://knowledgebase.open-xchange.com/roadmap.html#21|OX Guard 2.10]]). * (Self)-hosted email servers that run [[https://github.com/vedetta-com/caesonia/|caesonia - an OpenBSD Email Service]] setup. |
| Line 68: | Line 88: |
| ==== WKD stand-a-lone (without WKS) * [[WKDHosting|wks-tools]] helps to publish a single pubkeyring via static ~H~TTPS. |
=== Organizations using WKD * [[https://www.cotech.de|cotech.de]] * [[https://kdab.com|KDAB.com]] * [[https://kernel.org|kernel.org]] * [[https://gnupg.org|gnupg.org]] (Testing accounts available for developers implementing WKD in ~MUAs.) * (Several smaller organizations. Like - unsurprisingly - g10code.com and intevation.de. //Let us know if you want to be publicly listed.//) |
Contents
What is a Web Key Directory?
Web Key Directories provide an easy way to discover public keys through HTTPS.
In contrast to the public keyservers a Web Key Directory does not publish mail addresses. And is an authoritative key source for it's domain.
How does it work?
- The senders mail client (through GnuPG) checks a "well known" URL on the domain of the recipient.
- If a key is available for that address it an be downloaded via HTTPS.
- The downloaded key can now be used for automatic encryption.
Such an URL looks like: https://intevation.de/.well-known/openpgpkey/hu/g8td9rsyatrazsoiho37j9n3g5ypp34h for the mail address "aheinecke@intevation.de"
What does it mean for users?
A user just selects the recipients of a message and by default the encryption state of that mail will toggle if all recipients can be found in a Web Key Directory.
For a basic level of security the user does not need to check a fingerprint or do any key management manually.
How to set it up?
If you want to set up a Web Key Directory for your organisation you can find documentation in this wiki. You only need access to a webserver for your domain. See: WKDHosting
For a larger organisation it is recommended to set up a complete Web Key Service, which will help to automate Web Key Directory publishing.
Web Key Directory (WKD) / Web Key Service (WKS) what is the difference?
The Web Key Directory is the HTTPS directory from which keys can be fetched.
The Web Key Service is a tool / protocol to automatically publish and update keys in the Web Key Directory. It is optional to reduce the administrative effort of a Web Key Directory.
Documentation how to set up a Web Key Service can be found on the Web Key Service page.
Technical Details
You can find the concepts / technical details under WKDDetails.
Trust and security considerations are outlined as part of the AutomatedEncryption concept.
Implementations
GnuPG
- WKD lookup is implemented in GnuPG since v2.1.12. It is enabled by default since 2.1.23..
- WKS server and client tools are part of GnuPG since v2.1.14
Mail Clients
Any mail client which uses the --locate-keys option of GnuPG will automatically do WKD requests.
Known mail clients with WKD Support:
- Thunderbird/Enigmail 2.0
- KMail since Version 5.6
- Outlook with GpgOL since Version 2.2.0
Known mail clients with WKS Support:
- Thunderbird/Enigmail 2.0
- KMail since Version 5.6
- Outlook with GpgOL (basic, pre-release) since Version 2.2.1 asyGpg2016)
Mail Service Providers offering WKD
- Posteo offers web key directory lookup and service for @posteo.de-addresses (Since 2016-12)
- netzguerilla offers web key directory lookup. (Since 2017-10-11)
- mailbox.org plans to offer web key directory lookup in Q2 2018 (coming with OX Guard 2.10).
- (Self)-hosted email servers that run caesonia - an OpenBSD Email Service setup.
Organizations using WKD
- cotech.de
- KDAB.com
- kernel.org
- gnupg.org (Testing accounts available for developers implementing WKD in MUAs.)
- (Several smaller organizations. Like - unsurprisingly - g10code.com and intevation.de. Let us know if you want to be publicly listed.)