What is a Web Key Directory?

A Web Key Directory (WKD) provides an easy way to provide and get the current public key for a given email address through HTTPS. Thus it is infrastructure to improve the user experience for exchanging secure emails and files.

Because the email address is needed to ask for a public key, using a Web Key Directory preserves the privacy of this address. If a public key is found, it can be used to encrypt to the email address right away.

for Users

How does an email client use WKD?

  1. A user selects a recipient for an email.
  2. The email client uses the domain part of the email address to construct which server to ask.
  3. HTTPS is used to get the current public key.
  4. The email client is ready to encrypt and send now.

An example: https://intevation.de/.well-known/openpgpkey/hu/it5sewh54rxz33fwmr8u6dy4bbz8itz4 is the direct method URL for "bernhard.reiter@intevation.de".

What does it mean for users?

A user just selects the recipients of a message and by default the encryption state of that mail will toggle if encryption keys can be found for all of them.

Example from Gpg4win / GpgOL

For a basic level of security the user does not need to check a fingerprint or do any key management manually.

How to set it up?

If you want to set up a Web Key Directory for your own server or your own server you only need access to a webserver for your domain. See: WKDHosting

For a larger organization it is recommended to set up a complete Web Key Service, which will help to automate Web Key Directory publishing.

Stopgap method - temporary central keyserver

Not recommended - but a temporary workaround - is to use "WKDaaS" and delegate delivery of your pubkey to a central service. Doing this you'll expose all people that want to use crypto when communication with you towards another party of the central service or monitoring the central service. This third party can then see the communication pattern.

However this maybe a temporary solution until you will convince your mail provider to enable at least the WKD serving part or to switch to a more privacy aware mail provider.

One service is keys.openpgp.org, where you can set the CNAME record of the "openpgpkey" subdomainto "wkd.keys.openpgp.org" the CNAME entry should look like this.

openpgpkey.example.org. 300     IN      CNAME   wkd.keys.openpgp.org.

In addition you need to register your pubkey with them.

Other drawbacks:

Web Key Directory (WKD) / Web Key Service (WKS) what is the difference?

The Web Key Directory is the HTTPS directory from which keys can be fetched.

The Web Key Service is a tool / protocol to automatically publish and update keys in the Web Key Directory. It is optional to reduce the administrative effort of a Web Key Directory.

Documentation how to set up a Web Key Service can be found on the Web Key Service page.

Technical Details

You can find the concepts / technical details under WKDDetails.

Trust and security considerations are outlined as part of the AutomatedEncryption concept.

Troubleshooting

If you have arrived here after receiving an email saying:

The web page

       https://gnupg.org/faq/wkd.html

explains how you can process this message anyway in
a few manual steps.

you can find further instructions at WKSManualConfirmation.

Implementations

GnuPG

Mail Clients

Any mail client which uses the --locate-keys option of GnuPG will automatically do WKD requests.

Known mail clients with WKD Support:

Known mail clients with WKS Support:

Self-hosted email setups offering WKD + WKS:

Mail Service Providers offering WKD

Organizations using WKD

Misc

WKD (last edited 2021-09-28 15:24:45 by bernhard)