Expand explanation about "WKDaaS".
Added self hosted section for WKD + WKS
|Deletions are marked like this.||Additions are marked like this.|
|Line 42:||Line 42:|
|=== stopgap - temporary central keyserver||=== Stopgap method - temporary central keyserver|
|Line 44:||Line 44:|
|Not recommended - but a temporary workaround - is to use like "WKD~aaS"||Not recommended - but a temporary workaround - is to use "WKD~aaS"|
|Line 106:||Line 106:|
|=== Self-hosted email setups offering WKD + WKS:
* [[https://github.com/AnsiMail/AnsiMail/| AnsiMail - OpenBSD email service using ansible]]: Has multiple-domain WKS support.
* [[https://github.com/vedetta-com/caesonia/|caesonia - OpenBSD email service]].
|Line 113:||Line 117:|
|* (Self)-hosted email servers that run [[https://github.com/vedetta-com/caesonia/|caesonia - an OpenBSD Email Service]] setup.|
What is a Web Key Directory?
Web Key Directories provide an easy way to discover public keys through HTTPS. They provide an important piece to the infrastructure to improve the user experience for exchanging secure emails and files.
In contrast to the public keyservers a Web Key Directory does not publish mail addresses. And it is an authoritative pubkey source for its domain.
How does it work?
- The sender's mail client checks a "well known" URL on the domain of the recipient.
- If a public key is available for that mail address, will be downloaded via HTTPS.
- The downloaded pubkey can now be used without further user interaction.
Such an URL looks like: https://intevation.de/.well-known/openpgpkey/hu/g8td9rsyatrazsoiho37j9n3g5ypp34h for the mail address "firstname.lastname@example.org"
What does it mean for users?
A user just selects the recipients of a message and by default the encryption state of that mail will toggle if all recipients can be found in a Web Key Directory.
For a basic level of security the user does not need to check a fingerprint or do any key management manually.
How to set it up?
If you want to set up a Web Key Directory for your own server or your own server you only need access to a webserver for your domain. See: WKDHosting
For a larger organization it is recommended to set up a complete Web Key Service, which will help to automate Web Key Directory publishing.
Stopgap method - temporary central keyserver
Not recommended - but a temporary workaround - is to use "WKDaaS" and delegate delivery of your pubkey to a central service. Doing this you'll expose all people that want to use crypto when communication with you towards another party of the central service or monitoring the central service. This third party can then see the communication pattern.
However this maybe a temporary solution until you will convince your mail provider to enable at least the WKD serving part or to switch to a more privacy aware mail provider.
One service is keys.openpgp.org, where you can set the CNAME record of the "openpgpkey" subdomainto "wkd.keys.openpgp.org" the CNAME entry should look like this.
openpgpkey.example.org. 300 IN CNAME wkd.keys.openpgp.org.
In addition you need to register your pubkey with them.
- As any WKD service, they'll be able to serve a different pubkey to some domains at some time, however opposed to your email provider you do not have a contractual relationship with them.
- Elder GnuPGs like the some on Debian Stretch do not offer the necessary modern WKD implementation for a successful request, so you are reaching less communication partners with this compared to real WKD.
- (For the overall ecosystem, we need more decentral services instead, it is at the core of OpenPGP security promise. So you are missing to set a good example. ;) )
Web Key Directory (WKD) / Web Key Service (WKS) what is the difference?
The Web Key Directory is the HTTPS directory from which keys can be fetched.
The Web Key Service is a tool / protocol to automatically publish and update keys in the Web Key Directory. It is optional to reduce the administrative effort of a Web Key Directory.
Documentation how to set up a Web Key Service can be found on the Web Key Service page.
You can find the concepts / technical details under WKDDetails.
Trust and security considerations are outlined as part of the AutomatedEncryption concept.
- WKD lookup is implemented in GnuPG since v2.1.12. It is enabled by default since 2.1.23..
- WKS server and client tools are part of GnuPG since v2.1.14
Any mail client which uses the --locate-keys option of GnuPG will automatically do WKD requests.
Known mail clients with WKD Support:
- Thunderbird/Enigmail 2.0
- KMail since Version 5.6
- Outlook with GpgOL since Version 2.2.0
- Mailvelope since Version 3.0.0 (Dez 2018)
Known mail clients with WKS Support:
- Thunderbird/Enigmail 2.0
- KMail since Version 5.6
- Outlook with GpgOL (basic, pre-release) since Version 2.2.1 asyGpg2016)
Self-hosted email setups offering WKD + WKS:
- AnsiMail - OpenBSD email service using ansible: Has multiple-domain WKS support.
- caesonia - OpenBSD email service.
Mail Service Providers offering WKD
- Posteo offers web key directory lookup and service for @posteo.de-addresses (Since 2016-12) E.g. German Thunderbird/WKD Instructions
- Protonmail supports web key directory lookup (Since 2018-11)
- netzguerilla offers web key directory lookup. (Since 2017-10-11)
- mailbox.org plans to offer web key directory lookup in Q2 2018 (coming with OX Guard 2.10).
Organizations using WKD
- gnupg.org (Testing accounts available for developers implementing WKD in MUAs.)
- (Several smaller organizations. Like - unsurprisingly - g10code.com and intevation.de. Let us know if you want to be publicly listed.)