Orbifx's logarion

Web key directory

| | | topics: computing | keywords: encryption, pgp
id: 014e361e-0544-4bf0-95bd-87b9c7e21b54

I knew of two ways to share PGP keys: exchange them directly with folk or publish them on a public keyserver. The idea of publishing my information on the key server raises concerns of information leak.

Sheogorath introduced me to an alternative, Web Key Directory. Public keys are uploaded to a "well known directory" (.well-known/openpgpkey/hu), so for this method to work, access to your domain's .well-known directory is required. Each key is a file, named using a hash of the user-name part of the email. Find out how to name the file by running:

 gpg --with-wkd-hash --fingerprint foo@example.com

Where foo@example.com should be your email. The command outputs several lines, one of which will contain your id:

 sc8wrug2g3mz8m8jz4tjrlgweilkgcba@example.com

Copy the part before the @ and export your key with:

 gpg --no-armor --export foo@example.com > sc8wrug2g3mz8m8jz4tjrlgweilkgcba

Then upload to your .well-known/openpgpkey/hu directory. Finally there must a .well-known/openpgpkey/policy for various flags.

This is actually a simpler form of trusting keys, as they have to match the domain they have come from. With public key servers, keys have to be signed by people you already trust to verify them (web of trust).