GnuPG Gpg4win Logo
  • Comments
  • Immutable Page
  • Menu
    • Navigation
    • RecentChanges
    • FindPage
    • Local Site Map
    • Help
    • HelpContents
    • HelpOnMoinWikiSyntax
    • Display
    • Attachments
    • Info
    • Raw Text
    • Print View
    • Edit
    • Load
    • Save
  • Login

Navigation

  • RecentChanges
  • FindPage
  • HelpContents
Revision 41 as of 2018-08-23 07:12:40
  • WKD

Contents

  1. What is a Web Key Directory?
  2. How does it work?
  3. What does it mean for users?
  4. How to set it up?
  5. Web Key Directory (WKD) / Web Key Service (WKS) what is the difference?
  6. Technical Details
  7. Implementations

What is a Web Key Directory?

Web Key Directories provide an easy way to discover public keys through HTTPS.

In contrast to the public keyservers a Web Key Directory does not publish mail addresses. And it is an authoritative pubkey source for its domain.

How does it work?

  1. The senders mail client (through GnuPG) checks a "well known" URL on the domain of the recipient.
  2. If a key is available for that address it an be downloaded via HTTPS.
  3. The downloaded key can now be used for automatic encryption.

Such an URL looks like: https://intevation.de/.well-known/openpgpkey/hu/g8td9rsyatrazsoiho37j9n3g5ypp34h for the mail address "aheinecke@intevation.de"

What does it mean for users?

A user just selects the recipients of a message and by default the encryption state of that mail will toggle if all recipients can be found in a Web Key Directory.

Example from Gpg4win / GpgOL

For a basic level of security the user does not need to check a fingerprint or do any key management manually.

How to set it up?

If you want to set up a Web Key Directory for your organisation you can find documentation in this wiki. You only need access to a webserver for your domain. See: WKDHosting

For a larger organisation it is recommended to set up a complete Web Key Service, which will help to automate Web Key Directory publishing.

Web Key Directory (WKD) / Web Key Service (WKS) what is the difference?

The Web Key Directory is the HTTPS directory from which keys can be fetched.

The Web Key Service is a tool / protocol to automatically publish and update keys in the Web Key Directory. It is optional to reduce the administrative effort of a Web Key Directory.

Documentation how to set up a Web Key Service can be found on the Web Key Service page.

Technical Details

You can find the concepts / technical details under WKDDetails.

Trust and security considerations are outlined as part of the AutomatedEncryption concept.

Implementations

GnuPG

  • WKD lookup is implemented in GnuPG since v2.1.12. It is enabled by default since 2.1.23..
  • WKS server and client tools are part of GnuPG since v2.1.14

Mail Clients

Any mail client which uses the --locate-keys option of GnuPG will automatically do WKD requests.

Known mail clients with WKD Support:

  • Thunderbird/Enigmail 2.0
  • KMail since Version 5.6
  • Outlook with GpgOL since Version 2.2.0

Known mail clients with WKS Support:

  • Thunderbird/Enigmail 2.0
  • KMail since Version 5.6
  • Outlook with GpgOL (basic, pre-release) since Version 2.2.1 asyGpg2016)

Mail Service Providers offering WKD

  • Posteo offers web key directory lookup and service for @posteo.de-addresses (Since 2016-12)
  • netzguerilla offers web key directory lookup. (Since 2017-10-11)
  • mailbox.org plans to offer web key directory lookup in Q2 2018 (coming with OX Guard 2.10).
  • (Self)-hosted email servers that run caesonia - an OpenBSD Email Service setup.

Organizations using WKD

  • cotech.de
  • KDAB.com
  • kernel.org
  • gentoo.org
  • gnupg.org (Testing accounts available for developers implementing WKD in MUAs.)
  • (Several smaller organizations. Like - unsurprisingly - g10code.com and intevation.de. Let us know if you want to be publicly listed.)
  • This site is hosted by Intevation GmbH
  • |
  • Datenschutzerklärung und Impressum
  • |
  • Privacy Policy and Imprint