[dev] Providing keys through Web Key Directory protocol
Wiktor Kwapisiewicz
wiktor at metacode.biz
Wed Oct 17 08:30:47 UTC 2018
On 16.10.2018 15:03, Ralf Lang wrote:
>
> Zitat von Wiktor Kwapisiewicz <wiktor at metacode.biz>:
>
>> Hello Horde Dev,
>>
>> I would like to add support for providing user's PGP keys in Horde
>> through Web Key Directory protocol.
>>
>> Relevant ticket: https://bugs.horde.org/ticket/14465
>>
>> A quick explanation what WKD does: modern GnuPG allows looking up PGP
>> keys by e-mail addresses by converting e-mails to HTTPS URLs that are
>> used to fetch the key (more info at https://wiki.gnupg.org/WKD ).
>>
>> For example, using "gpg --locate-key torvalds at kernel.org" fetches the
>> key from
>> https://kernel.org/.well-known/openpgpkey/hu/pf113mfnx1f3eb1yiwhsipa91xfc7o4x
>>
>>
>> (the local part is SHA1-ed and encoded using ZBase32)
>>
>> Horde could store the encoded username hash in database, have an
>> endpoint that would catch "/.well-known/openpgpkey/hu" calls, retrieve
>> user's pgpPublicKey and return the binary key (or 404 if the key doesn't
>> exist).
>>
>> I think storing additional attribute - encoded localpart is needed
>> because it's not possible to easily reverse the hash to username. I've
>> checked the Pgp component and it seems Horde_Pgp_Element_PublicKeys have
>> to_bytes() method that can be used to return binary encoded OpenPGP key.
>>
>> Could you check if this reasoning is sound? I would appreciate any tips
>> in development of this feature as the sheer size of the code base is a
>> little bit intimidating :)
>>
>> Currently I've got a small problem with horde-git-tools (in attachment)
>> but I'll try some alternative methods to get the source.
>>
>> Thank you for your time!
>>
>> Kind regards,
>> Wiktor
>
> Hi Wiktor,
>
> sounds basically reasonable. We just need to ensure not to tie it to the
> user but to the identity - a user can have multiple identities, user
> names etc.
Yes, WKD's input is domain (example.com) and hash (zbase32), and the
hash directly corresponds to local-part of the e-mail address (it's just
SHA1-hashed). So it would be good to put the hash in the same place
where an e-mail address is stored (this probably means "identity") and
on lookup retrieve user associated with that pair and their PGP key.
Thanks for your input!
Kind regards,
Wiktor
--
https://metacode.biz/@wiktor
More information about the dev
mailing list