<> == What is a Web Key Directory? Web Key Directories provide an easy way to discover public keys through H~T~T~P~S. They provide an important piece to the infrastructure **to improve the user experience for exchanging secure emails and files**. In contrast to the public keyservers a Web Key Directory does not publish mail addresses. And it is an authoritative pubkey source for its domain. == How does it work? # The senders mail client checks a "well known" U~R~L on the domain of the recipient. # If a public key is available for that mail address, will be downloaded via H~T~T~P~S. # The downloaded pubkey can now be used without further user interaction. Such an URL looks like: {{{https://intevation.de/.well-known/openpgpkey/hu/g8td9rsyatrazsoiho37j9n3g5ypp34h}}} for the mail address "aheinecke@intevation.de" == What does it mean for users? A user just selects the recipients of a message and by default the encryption state of that mail will toggle if all recipients can be found in a Web Key Directory. [[https://files.intevation.de/users/aheinecke/wkd-autoencrypt.gif|Example from Gpg4win / GpgOL]] For a basic level of security the user does **not need to check a fingerprint** or do any key management manually. == How to set it up? If you want to set up a Web Key Directory for your organisation you can find documentation in this wiki. You only need access to a webserver for your domain. See: WKDHosting For a larger organisation it is recommended to set up a complete Web Key Service, which will help to automate Web Key Directory publishing. == Web Key Directory (WKD) / Web Key Service (WKS) what is the difference? The Web Key Directory is the H~T~T~P~S directory from which keys can be fetched. The Web Key Service is a tool / protocol to automatically publish and update keys in the Web Key Directory. It is **optional** to reduce the administrative effort of a Web Key Directory. Documentation how to set up a Web Key Service can be found on the [[WKS|Web Key Service page]]. == Technical Details You can find the concepts / technical details under WKDDetails. Trust and security considerations are outlined as part of the AutomatedEncryption concept. == Implementations === GnuPG * WKD lookup is implemented in GnuPG since v2.1.12. It is enabled by default since 2.1.23.. * WKS server and client tools are part of GnuPG since v2.1.14 === Mail Clients Any mail client which uses the {{{--locate-keys}}} option of GnuPG will automatically do WKD requests. Known mail clients with WKD Support: * Thunderbird/[[https://www.enigmail.net/index.php/en/download/changelog|Enigmail 2.0]] * KMail since Version 5.6 * Outlook with GpgOL since Version 2.2.0 Known mail clients with WKS Support: * Thunderbird/[[https://www.enigmail.net/index.php/en/download/changelog|Enigmail 2.0]] * KMail since Version 5.6 * Outlook with GpgOL (basic, pre-release) since Version 2.2.1 asyGpg2016) === Mail Service Providers offering WKD * [[https://posteo.de/en/|Posteo]] offers web key directory lookup and service for {{{@posteo.de}}}-addresses (**Since 2016-12**) * [[https://netzguerilla.net|netzguerilla]] offers web key directory lookup. (**Since 2017-10-11**) * [[https://mailbox.org/en/|mailbox.org]] **plans** to offer web key directory lookup in Q2 2018 (coming with [[https://knowledgebase.open-xchange.com/roadmap.html#21|OX Guard 2.10]]). * (Self)-hosted email servers that run [[https://github.com/vedetta-com/caesonia/|caesonia - an OpenBSD Email Service]] setup. === Organizations using WKD * [[https://www.c3s.cc|C3S]] * [[https://www.cotech.de|cotech.de]] * [[https://gentoo.org|gentoo.org]] * [[https://gnupg.org|gnupg.org]] (Testing accounts available for developers implementing WKD in ~MUAs.) * [[https://kdab.com|KDAB.com]] * [[https://kernel.org|kernel.org]] * (Several smaller organizations. Like - unsurprisingly - g10code.com and intevation.de. //Let us know if you want to be publicly listed.//)