What is a Web Key Directory?

Web Key Directories provide an easy way to discover public keys through HTTPS. They provide an important piece to the infrastructure to improve the user experience for exchanging secure emails and files.

In contrast to the public keyservers a Web Key Directory does not publish mail addresses. And it is an authoritative pubkey source for its domain.

How does it work?

  1. The senders mail client checks a "well known" URL on the domain of the recipient.
  2. If a public key is available for that mail address, will be downloaded via HTTPS.
  3. The downloaded pubkey can now be used without further user interaction.

Such an URL looks like: https://intevation.de/.well-known/openpgpkey/hu/g8td9rsyatrazsoiho37j9n3g5ypp34h for the mail address "aheinecke@intevation.de"

What does it mean for users?

A user just selects the recipients of a message and by default the encryption state of that mail will toggle if all recipients can be found in a Web Key Directory.

Example from Gpg4win / GpgOL

For a basic level of security the user does not need to check a fingerprint or do any key management manually.

How to set it up?

If you want to set up a Web Key Directory for your organisation you can find documentation in this wiki. You only need access to a webserver for your domain. See: WKDHosting

For a larger organisation it is recommended to set up a complete Web Key Service, which will help to automate Web Key Directory publishing.

Web Key Directory (WKD) / Web Key Service (WKS) what is the difference?

The Web Key Directory is the HTTPS directory from which keys can be fetched.

The Web Key Service is a tool / protocol to automatically publish and update keys in the Web Key Directory. It is optional to reduce the administrative effort of a Web Key Directory.

Documentation how to set up a Web Key Service can be found on the Web Key Service page.

Technical Details

You can find the concepts / technical details under WKDDetails.

Trust and security considerations are outlined as part of the AutomatedEncryption concept.

Implementations

GnuPG

Mail Clients

Any mail client which uses the --locate-keys option of GnuPG will automatically do WKD requests.

Known mail clients with WKD Support:

Known mail clients with WKS Support:

Mail Service Providers offering WKD

Organizations using WKD

WKD (last edited 2018-11-19 12:24:47 by Werner Koch)