Size: 4527
Comment: List kernel.org
|
Size: 5194
Comment: Make note of the keys.openpgp.org hack.
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
= Much easier Email crypto, by fetching pubkey via HTTPS | <<TableOfContents(2)>> == What is a Web Key Directory? Web Key Directories provide an easy way to discover public keys through H~T~T~P~S. They provide an important piece to the infrastructure **to improve the user experience for exchanging secure emails and files**. In contrast to the public keyservers a Web Key Directory does not publish mail addresses. And it is an authoritative pubkey source for its domain. |
Line 4: | Line 13: |
As an email user, you just select the recipient(s) and can see that the email will be encrypted. | |
Line 6: | Line 14: |
If you and your peers use email-providers offering this "service", it works by the first email. Otherwise encryption will start after you have exchanged some emails. |
# The sender's mail client checks a "well known" U~R~L on the domain of the recipient. # If a public key is available for that mail address, will be downloaded via H~T~T~P~S. # The downloaded pubkey can now be used without further user interaction. |
Line 9: | Line 20: |
Such an URL looks like: {{{https://intevation.de/.well-known/openpgpkey/hu/g8td9rsyatrazsoiho37j9n3g5ypp34h}}} for the mail address "aheinecke@intevation.de" |
|
Line 10: | Line 23: |
Technically your email client will automatically * prepare for this by creating a crypto key for you and uploading it to your provider (or second best to public keyservers). * sign all emails so others see that you are ready for crypto (unless you opt out) * ask the mail provider of your recipients for their pubkeys. |
== What does it mean for users? |
Line 16: | Line 25: |
An email-provider supporting privacy can * provide a pubkey for users via ~HT~TPS, called "web key directory" (WKD). * allow each user's email client to automatically manage the pubkey that gets published by email, called "web key service" (WKS). * (if offering web-based email:) support the client part as well. |
A user just selects the recipients of a message and by default the encryption state of that mail will toggle if all recipients can be found in a Web Key Directory. |
Line 22: | Line 29: |
[[https://files.intevation.de/users/aheinecke/wkd-autoencrypt.gif|Example from Gpg4win / GpgOL]] | |
Line 23: | Line 31: |
== Details / Discussion | For a basic level of security the user does **not need to check a fingerprint** or do any key management manually. |
Line 25: | Line 34: |
**[[EasyGpg2016/PubkeyDistributionConcept|Pubkey Distribution Concept]] <- the (technical) details** | == How to set it up? |
Line 27: | Line 36: |
* 2016-09-08 ~OpenPGP.conf presentation by Werner Koch: [[https://www.openpgp-conf.org/program.html#werner|Abstract]] [[https://www.openpgp-conf.org/2016/openpgp-2016-simple-key-discovery.pdf|Slides.PDF]] * 2016-09-08 ~OpenPGP.conf presentation by Bernhard Reiter, pages 21-24 [[https://www.intevation.de/~bernhard/presentations/201609-openpgpconf/20160908-3bsi-contracts.odp|Slides.ODP]] [[https://www.intevation.de/~bernhard/presentations/201609-openpgpconf/20160908-3bsi-contracts.pdf|Slides.PDF]] * 2016-09-09 //[[http://www.golem.de/news/web-key-service-openpgp-schluessel-ueber-https-verteilen-1609-123194.html|OpenPGP-Schlüssel über HTTPS verteilen]]// Golem news by Hanno Böck * 2016-09-11 //[[https://www.heise.de/newsticker/meldung/Spezifikation-fuer-die-Verteilung-von-OpenPGP-Keys-per-HTTPS-veroeffentlicht-3317914.html|Spezifikation für die Verteilung von OpenPGP-Keys per HTTPS veröffentlicht]]// Heise news by Johannes Merkert * 2016-09-11 //[[http://lists.gnupg.org/pipermail/gnupg-de/2016-September/000547.html|Anmerkungen zum Web Key Service]]// gnupg-de@ by Werner Koch * 2017-07-28 Draft 04 of the specs published (see details page linked above). * 2017-10-10 LWN covers [[https://lwn.net/Articles/735840/|Werner Koch's talk at Kernel Recipies 2017]] |
If you want to set up a Web Key Directory for your organization you can find documentation in this wiki. You only need access to a webserver for your domain. See: WKDHosting |
Line 41: | Line 40: |
The elaborated proposal is a result of the EasyGpg2016 contract. | For a larger organization it is recommended to set up a complete Web Key Service, which will help to automate Web Key Directory publishing. As an alternative you might delegate the key management to a centralized service like keys.openpgp.org to do that just set the ~C~N~A~M~E record of the "openpgpkey" subdomainto "wkd.keys.openpgp.org" the CNAME entry should look like this. {{{ openpgpkey.example.org. 300 IN CNAME wkd.keys.openpgp.org. }}} This delegates the "trust" in which keys people should use for your domain to keys.openpgp.org so it is not recommended as this will then be outside of your own control. == Web Key Directory (WKD) / Web Key Service (WKS) what is the difference? The Web Key Directory is the H~T~T~P~S directory from which keys can be fetched. The Web Key Service is a tool / protocol to automatically publish and update keys in the Web Key Directory. It is **optional** to reduce the administrative effort of a Web Key Directory. Documentation how to set up a Web Key Service can be found on the [[WKS|Web Key Service page]]. == Technical Details You can find the concepts / technical details under WKDDetails. Trust and security considerations are outlined as part of the AutomatedEncryption concept. |
Line 45: | Line 67: |
=== Current GnuPG 2.2 * WKD lookup since v2.1.12, enabled by default since 2.1.23. Widespread rollout in 2017 because the old GnuPG 2.0 is scheduled end-of-life December 2017. |
=== GnuPG * WKD lookup is implemented in GnuPG since v2.1.12. It is enabled by default since 2.1.23.. |
Line 49: | Line 70: |
* WKS server and client tools since GnuPG v2.1.14 which may help some providers (especially smaller ones) see the [[WKS|Web Key Service page]]. |
* WKS server and client tools are part of GnuPG since v2.1.14 |
Line 52: | Line 72: |
=== Mail User Agents (Note that mail users agents using a modern GnuPG 2.2 will automatically do WKD requests via GnuPG. So they are WKD ready.) |
=== Mail Clients |
Line 56: | Line 74: |
==== Automatic pubkey bootstrapping (using the Web Key Service) * Thunderbird/[[https://www.enigmail.net/index.php/en/download/changelog|Enigmail 2.0]] comes with WKD lookup and WKS publishing (since 2018-03-25). * basic (pre-release) Kontact Mail/KMail support (part of EasyGpg2016) * basic (pre-release) Thunderbird/Enigmail support (part of EasyGpg2016) * active consideration in planning for mutt * active consideration in planning for GpgOL (Gpg4win's Outlook Plugin) |
Any mail client which uses the {{{--locate-keys}}} option of GnuPG will automatically do WKD requests. |
Line 63: | Line 77: |
=== Mail Service Providers | Known mail clients with WKD Support: * Thunderbird/[[https://www.enigmail.net/index.php/en/download/changelog|Enigmail 2.0]] * KMail since Version 5.6 * Outlook with GpgOL since Version 2.2.0 * Mailvelope since Version 3.0.0 (Dez 2018) Known mail clients with WKS Support: * Thunderbird/[[https://www.enigmail.net/index.php/en/download/changelog|Enigmail 2.0]] * KMail since Version 5.6 * Outlook with GpgOL (basic, pre-release) since Version 2.2.1 asyGpg2016) === Mail Service Providers offering WKD |
Line 65: | Line 91: |
(**Since 2016-12**) | (**Since 2016-12**) E.g. [[https://posteo.de/hilfe/easygpg-wie-veroeffentliche-ich-meinen-oeffentlichen-pgp-schluessel-ueber-web-key-directory-wkd-im-posteo-schluesselverzeichnis|German Thunderbird/WKD Instructions]] * [[https://protonmail.com|Protonmail]] supports web key directory lookup (**Since ~2018-11**) |
Line 71: | Line 98: |
=== Organisations using WKD | |
Line 73: | Line 99: |
=== Organizations using WKD * [[https://www.c3s.cc|C3S]] * [[https://www.cotech.de|cotech.de]] * [[https://www.debian.org|debian.org]] * [[https://gentoo.org|gentoo.org]] * [[https://gnupg.org|gnupg.org]] (Testing accounts available for developers implementing WKD in ~MUAs.) * [[https://kdab.com|KDAB.com]] |
|
Line 74: | Line 108: |
* [[https://gnupg.org|gnupg.org]] (Testing accounts available for developers implementing WKD in ~MUAs.) * (Several smaller organisations. Like - unsurprisingly - g10code.com and intevation.de. //Let us know if you want to be publically listed.//) ==== WKD stand-a-lone (without WKS) * [[WKDHosting|wks-tools]] helps to publish a single pubkeyring via static ~H~TTPS. |
* [[https://www.occrp.org|occrp.org]] * [[https://www.torproject.org|torproject.org]] * [[https://f-droid.org|f-droid.org]] * [[https://guardianproject.info|guardianproject.info]] * [[https://privacytools.io|privacytools.io]] * (Several smaller organizations. Like - unsurprisingly - g10code.com and intevation.de. //Let us know if you want to be publicly listed.//) |
Contents
What is a Web Key Directory?
Web Key Directories provide an easy way to discover public keys through HTTPS. They provide an important piece to the infrastructure to improve the user experience for exchanging secure emails and files.
In contrast to the public keyservers a Web Key Directory does not publish mail addresses. And it is an authoritative pubkey source for its domain.
How does it work?
- The sender's mail client checks a "well known" URL on the domain of the recipient.
- If a public key is available for that mail address, will be downloaded via HTTPS.
- The downloaded pubkey can now be used without further user interaction.
Such an URL looks like: https://intevation.de/.well-known/openpgpkey/hu/g8td9rsyatrazsoiho37j9n3g5ypp34h for the mail address "aheinecke@intevation.de"
What does it mean for users?
A user just selects the recipients of a message and by default the encryption state of that mail will toggle if all recipients can be found in a Web Key Directory.
For a basic level of security the user does not need to check a fingerprint or do any key management manually.
How to set it up?
If you want to set up a Web Key Directory for your organization you can find documentation in this wiki. You only need access to a webserver for your domain. See: WKDHosting
For a larger organization it is recommended to set up a complete Web Key Service, which will help to automate Web Key Directory publishing.
As an alternative you might delegate the key management to a centralized service like keys.openpgp.org to do that just set the CNAME record of the "openpgpkey" subdomainto "wkd.keys.openpgp.org" the CNAME entry should look like this.
openpgpkey.example.org. 300 IN CNAME wkd.keys.openpgp.org.
This delegates the "trust" in which keys people should use for your domain to keys.openpgp.org so it is not recommended as this will then be outside of your own control.
Web Key Directory (WKD) / Web Key Service (WKS) what is the difference?
The Web Key Directory is the HTTPS directory from which keys can be fetched.
The Web Key Service is a tool / protocol to automatically publish and update keys in the Web Key Directory. It is optional to reduce the administrative effort of a Web Key Directory.
Documentation how to set up a Web Key Service can be found on the Web Key Service page.
Technical Details
You can find the concepts / technical details under WKDDetails.
Trust and security considerations are outlined as part of the AutomatedEncryption concept.
Implementations
GnuPG
- WKD lookup is implemented in GnuPG since v2.1.12. It is enabled by default since 2.1.23..
- WKS server and client tools are part of GnuPG since v2.1.14
Mail Clients
Any mail client which uses the --locate-keys option of GnuPG will automatically do WKD requests.
Known mail clients with WKD Support:
- Thunderbird/Enigmail 2.0
- KMail since Version 5.6
- Outlook with GpgOL since Version 2.2.0
- Mailvelope since Version 3.0.0 (Dez 2018)
Known mail clients with WKS Support:
- Thunderbird/Enigmail 2.0
- KMail since Version 5.6
- Outlook with GpgOL (basic, pre-release) since Version 2.2.1 asyGpg2016)
Mail Service Providers offering WKD
- Posteo offers web key directory lookup and service for @posteo.de-addresses (Since 2016-12) E.g. German Thunderbird/WKD Instructions
- Protonmail supports web key directory lookup (Since 2018-11)
- netzguerilla offers web key directory lookup. (Since 2017-10-11)
- mailbox.org plans to offer web key directory lookup in Q2 2018 (coming with OX Guard 2.10).
- (Self)-hosted email servers that run caesonia - an OpenBSD Email Service setup.
Organizations using WKD
- C3S
- cotech.de
- debian.org
- gentoo.org
- gnupg.org (Testing accounts available for developers implementing WKD in MUAs.)
- KDAB.com
- kernel.org
- occrp.org
- torproject.org
- f-droid.org
- guardianproject.info
- privacytools.io
- (Several smaller organizations. Like - unsurprisingly - g10code.com and intevation.de. Let us know if you want to be publicly listed.)