Recently I’ve been working with OpenPGP and configuring my gpg keys to work on my Yubikeys. I’ve also been testing out some of the new (to me anyways) secure email providers like Proton and Tuta. I quickly gave up on Tuta, it isn’t my cup of tea. Proton on the otherhand seems to be something interesting. During this whole process I’ve learned about the Web Key Directory and this intrigued me enough to get it working for my own domains.
I did have a few setup issues along the way, so here are some notes that may help me remember how I got this working in the future:
- The site webkeydirectory.com has a much more useful testing and results page than some of the other test site I was using
- Some email providers (looking at you Proton) seem to only use the Advanced key lookup method and not the easier to setup Direct method. I found this tidbit referenced in an old Reddit thread
- The
policyfile needs to exist in your web tree. This tells requesters that you have WKD setup apparently - The
policyfile needs to be present in both the Advanced and Direct web paths. At a top-level is not good enough it seems - The
.htaccessfile also needs to be present in both paths - The public key files need to be in binary format and not ascii armored. I didn’t see this documented anywhere else besides the test site linked above and one refernce in the gnupg-users mailing list (in a very long thread).
- Another tibdit is if you are using the same public key for multiple domains, the key data must have a matching uid for the domain. Example:
[email protected]and[email protected]using the same keypair. Both uids must be represented in the binary key blob.
Interesting to set this up and get it working. I think I’ve come up with a better way to host the Advanced style for my domains. I’ve already created the structure and it is working, except for the missing uid’s. Maybe I’ll post about my hosting setup next.