Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Isn't WKD supposed to help out with key distribution for email?

* https://wiki.gnupg.org/WKD

* https://tools.ietf.org/html/draft-koch-openpgp-webkey-servic...

I'm thinking that's a better way to publish keys these days anyway.

I have my own domain, so maybe OPENPGPKEY record in my domain as well

DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP

https://tools.ietf.org/html/rfc7929



It would be a better way, but the technology hinges on support by e-mail providers. I wouldn't recommend holding your breath.

The other contender is Autocrypt, which performs key exchange inline in emails in an automated fashion. It only depends on client support, and has gained at least some traction (enigmail, k9, mailvelope, gpgOL, delta.chat, and some others).


> It would be a better way, but the technology hinges on support by e-mail providers. I wouldn't recommend holding your breath.

Ah.

> The objective of the project was to develop new mechanisms for the reliable and automatic public PGP key exchange between e-mail providers. The results have also contributed to the WKS/WKD standard that is part of the GnuPG project.

https://mailbox.org/en/security

I was looking at going with mailbox.org or possibly protonmail (though they don't have calendars at the moment and I use that), both apparently support it. As does Thundebird+Enigmail, K9/OpenKeychain.

I have noticed the AutoCrypt method.

Part of the reason I changed my email is because I had in the past submitted a few keys to the sks network which I lost the private keys to, they were also submitted with an infinite expiry. I was a stupid kid.

So I am unlikely to submit my new keys to the sks network. Just store them in my domain, WKD, and on my blog.


> Part of the reason I changed my email is because I had in the past submitted a few keys to the sks network which I lost the private keys to, they were also submitted with an infinite expiry. I was a stupid kid.

That's why most recent versions of GnuPG automatically create keys with expiry set to 2 years.


> I have my own domain, so maybe OPENPGPKEY record in my domain as well

> DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP

WKD has some benefits over OPENPGPKEY - it keeps the request confidential (as WKD uses plain HTTPS). WKD is just easier to get right, that's why it's more broadly supported. GnuPG, that supports both of them, defaults to WKD. If OPENPGPKEY request is made it seems GnuPG doesn't even validate DNSSEC signatures: https://lists.gnupg.org/pipermail/gnupg-users/2011-December/...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: