diff options
author | Katharina Fey <kookie@spacekookie.de> | 2019-07-02 19:39:45 +0100 |
---|---|---|
committer | Katharina Fey <kookie@spacekookie.de> | 2019-07-02 19:39:45 +0100 |
commit | 007146d971ecb0633130c9a5f8a390ad46dc36a2 (patch) | |
tree | 0cd78f4c927b9e47788d1293a077904b26f75ce1 | |
parent | 6c09419d6a9b7bc839e68e613a54b10d717d5e33 (diff) |
Adding article about WKD
-rw-r--r-- | content/blog/108_usable_gpg.md | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/content/blog/108_usable_gpg.md b/content/blog/108_usable_gpg.md new file mode 100644 index 0000000..ab599d9 --- /dev/null +++ b/content/blog/108_usable_gpg.md @@ -0,0 +1,82 @@ +Title: Usable GPG with WKD +Category: Blog +Tags: gpg, security, usability +Date: 2019-07-02 + +With the recent [SKS keyserver vulnerability][sks], +people have been <strike>arguing</strike> reasonably talking on the GnuPG mailing list +about how to proceed with keyservers, public key exchanges +and the GPG ecosystem as a whole. + +[sks]: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f + +As part of this [WKD] was mentioned. +It stands for "Web Key Directory" and is a standard +for making a users public key available via their e-mail provider +or server with the domain that corresponds to their e-mail address. +There's several clients (such as [Enigmail] in Thunderbird) +that will use this standard to automatically fetch a user's public key, +when writing an e-mail to them. + +[WKD]: https://wiki.gnupg.org/WKD +[Enigmail]: https://www.enigmail.net/index.php/en/ + +As an example: my e-mails are hosted with [mailbox.org], +but I use my own website as an e-mail alias. +This means that I can make my public key available via my website, +and clients using WKS could then get it automatically. + +[mailbox.org]: https://mailbox.org + +If you don't have your own domain and use a webhoster instead, +you might still be able to use this. +There's a [list of supported hosters][list] that you should check out. + +[list]: https://wiki.gnupg.org/WKD#Mail_Service_Providers_offering_WKD + +## Setting this up + +(**Note:** in newer versions of `gpg` the tool `gpg-wks-client` is included, +which can handle setting up the folder structure for you automatically). + +There's two ways of making your public keys accessable this way: +the advanced and the direct way. +This post will only talk about the latter, because I find it easier. + +You need to create a `.well-known/openpgpkey` directory on your server. +In this directory, place a `policy` file. +This can be zero-length, but is used to check for WKD capability. +Next, create a `hu` folder inside it +(no idea what this stands for...) + +Next, take the prefix of your e-mail address +(i.e. in `kookie@spacekookie.de`, this would be `kookie`), +hash it with SHA-1 and then encode the output with z-base-32. +You can use [this][cryptii] convenient encoding website. + +[cryptii]: https://cryptii.com/pipes/z-base-32 + +The resulting folder structure should look something like this: + +``` +$ tree .well-known/ +.well-known/ +└── openpgpkey + ├── hu + │ └── nzn5f4t6k15893omwk19pgzfztowwkhs + └── policy +``` + +You need to make sure that this folder is accessable through your webserver +(this either involves including it in a static site or configuring nginx correctly). +But fundamentally, that's it! + +You can test if it works by setting a new `GNUPGHOME` and running this: + +``` +$ env GNUPGHOME=$(mktemp -d) gpg --locate-keys <your-email-here> +``` + +And that's it! Clients like Enigmail, KMail or GpgOL for Outlook +will now automatically fetch your public key for any message they send. + |