Open githubatf2f10 opened 3 years ago
IMO, DNSSEC and GPG are dying technologies and GPG in particular is extremely hard to do right in a novice-friendly environment like the one that Mail-in-a-Box strives for, so I don't think I would accept PRs for either of these features.
I'd also argue that an issue of DNS records to serve PGP keys is that they can become way too big (beyond what's acceptable, in my opinion, for a record).
On the other hand, WKD is still technically a draft. While it hasn't changed much across the last 1.5 years, one can't quite consider it a stable thing yet.
This said, (shameless plug here, I am sorry) I am actually hacking around with some form of WKD distribution on my fork. Still far from a functional product, though (I still need to answer myself some design questions around it).
I think an easy way to do this yourself would be to use keys.openpgp.org 's WKD as a service. I haven't tested it myself yet, but it seems like setting a custom CNAME DNS record to wkd.keys.openpgp.org should be enough.
Thanks all for the input! Thanks Josh for your thoughts! I just put some notes about what I did on my box for future reference for myself or some others. WKD: Advanced method: (I don't know how to do this in MAIB). This needs a subdomain, like openpgpkey.abc.com... This needs to have a structure like, .well-known/openpgpkey/abc.com/....
Direct method: (I manually did this on my own abc.com's root directory)
/home/user-data/www/abc.com$
.well-known/openpgpkey/
hu/all the keys here.....
policy
sudo chown -R user-data:root .well-known/
Add following to nginx-alldomains.conf: location ^~ /.well-known/openpgpkey { default_type "application/octet-stream"; add_header Access-Control-Allow-Origin * always; } do web-update:
@JoshData, I agree that PGP in email is/was not straightforward to use and considered an advanced feature that is used by privacy-oriented tech-savvy users, but there were some upgrades of PGP key discovery infrastructure in the last years. For example, now you don't need to send the key or give an URL to the recipient beforehand, it could be discovered automatically via OpenPGP Web Key Directory (WKD) — just publish your key on the webserver of your domain in a special format and the email client would request it.
There's also newer key server infrastructure available, https://keys.openpgp.org/ for example. Add your key there and many email clients/providers with PGP support would discover and use it automatically.
Newer versions of Thunderbird now have built-in PGP support, works pretty good. I receive automatically encrypted emails from Protonmail users occasionally, and can reply encrypted as well.
https://wiki.gnupg.org/WKDHosting https://wiki.gnupg.org/WKD
Since MAIB can support multiple domains and I would think Advanced Method for OpenPGP WKD works out best. We may only have created a default structure, like this, (This can be aliased in Nginx conf, probably "nginx-alldomains.conf") /home/user-data/openpgpkey ---->aliased to "/ .well-known/openpgpkey" for all domains. in /home/user-data, similar to ssl folder where we host each domain's ssl certs.
Whenever user adds a domain, there will autopopulate the followings, (or we could lump all these domains into only one openpgpkey/hu , to simply things, maybe. This will leverage Alias, but will this become Direct Method again? ) /home/user-data/openpgpkey/abc.com/hu/ /home/user-data/openpgpkey/abc.com/policy ... /home/user-data/openpgpkey/def.com/hu/ /home/user-data/openpgpkey/def.com/policy
Within each of these directories, are public gpg keys for those domains. (user can manually SCP into or we can add this function into Admin portal, if possible to deal with Read/Write attributes automatically) https://openpgpkey.abc.com/.well-known/openpgpkey/abc.com/hu/ ... https://openpgpkey.abc.com/.well-known/openpgpkey/abc.com/hu/
With the infrastructure MIAB provides right now, you can easily set up a static WKD via direct method, provided you are willing to manually update the keys (this method doesn't work if you are hosting the website elsewhere, though):
Edit (or create) the /home/user-data/www/example.com.conf
file and add in the following:
location = /.well-known/openpgpkey/policy {
return 204; # 204 means No Content, so a 0 byte file
add_header Access-Control-Allow-Origin "*" always;
}
location ~ ^/.well-known/openpgpkey/hu/([ybndrfg8ejkmcpqxot1uwisza345h769]*)$ {
alias /where/you/store/the/keys/$1;
add_header Access-Control-Allow-Origin "*" always;
}
If the file did not exist, you might want to update your web configuration in the admin panel (not sure). Otherwise a good old sudo nginx -s reload
will do.
Hi Josh,
I was wondering whether it's a small effort that you may have get the following features integrated.
These are two methods that we may use to help facilitate our own GPG key distribution for others to retrieve.
Thank you! Peng