Open kees-closed opened 5 years ago
stale[bot]
commented
5 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
kees-closed
commented
5 years ago Would still be great to have this feature.
ChristophWurst
commented
5 years ago Would still be great to have this feature.
Are you a developer by any chance?
kees-closed
commented
5 years ago Would still be great to have this feature.
Are you a developer by any chance?
I'm afraid I won't be of much help :(
wiktor-k
commented
5 years ago I'm a developer. I've added WKD support to OpenKeychain, Openpgp.js, Mailpile and others. The integration with products that already used OpenPGP was quite easy. Would it be possible for you @ChristophWurst to asses the complexity of adding WKD to nextcloud mail?
In the nutshell WKD is a protocol that for any email address constructs HTTPS URL for fetching the key. That part is extremely easy but as I've never worked with nextcloud the integration could take more time (this is really scarce resource for me).
ChristophWurst
commented
5 years ago Sounds like an integration isn't that much of an effort. The retrieval from the well known URL is trivial. We then just have to invoke pgp to do the verification. This can be done on the server or client.
However, to some extent this does seem to be the thought process with Nextcloud. Like relying on a (paid) 3rd party Android application for calendar/contact synchronization. But that's off topic, just to emphasize that some people don't want to rely on additional 3rd party software to get their personal cloud working.
Are you referring to DAVx⁵? It's 100% open source and tightly integrated into Nextcloud, you can even automate the account creation from the Nextcloud Android app :wink:
Keep in mind: paid app does not imply proprietary app.
wiktor-k
commented
5 years ago Sounds like an integration isn't that much of an effort. The retrieval from the well known URL is trivial. We then just have to invoke pgp to do the verification. This can be done on the server or client.
Exactly. The local@domain.com part is turned into https://domain.com/.well-known/openpgpkey/hu/$HASHwhere $HASH is [encodeZBase32('local')`](https://gist.github.com/wiktor-k/53e3ad0a7705735705019c7b42a2cf00) (there is also JavaScript version if you prefer that).
Keep in mind: paid app does not imply proprietary app.
That's actually the model I like most - FOSS but paid so that the development and maintenance is sustained.
stale[bot]
commented
4 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
kees-closed
commented
4 years ago Activity bump.
financelurker
commented
3 years ago So, what exact use case is proposed here?
Just the WKD-check functionality in NextCloud Mail? Or that NextCloud provides a /.wellknown directory?
To make the experience more holistic it would be nice that NextCloud users can store their public key in their profile and a NextCloud WKD App pays respect to it and publishes it on it's WKD /.wellknown directory site.
I mean, there is https://help.nextcloud.com/t/gpg-encrypted-emails-for-nextcloud/26129/6 - but for now it's not "tested" for NextCloud 22...
kees-closed
commented
3 years ago Just the WKD-check functionality in NextCloud Mail?
Just this as far as I'm concerned.
ParaplegicRacehorse
commented
3 years ago Just the WKD-check functionality in NextCloud Mail?
This would be a good start.
Or that NextCloud provides a /.wellknown directory?
Straightforward future enhancement (?); most likely by a separate but integrated NC app. (?)
To make the experience more holistic it would be nice that NextCloud users can store their public key in their profile and a NextCloud WKD App pays respect to it and publishes it on it's WKD /.wellknown directory site.
How awesome would this be?! Especially if combined with a cryptographic key management app [separate but integrated] possibility.
MeiKatz
commented
2 years ago Registering an own 'well-known' handler is easy, because NextCloud has a registerWellKnownHandler method and therefore an app could add a handler for openpgpkey.
MeiKatz
commented
2 years ago Anyway, before we could add this feature we must decide how and where the private keys are stored. I could imagine a hybrid solution: save the private keys on the server side but encrypted by the current user password. After logging in the encrypted private key is stored in a (signed) cookie. Now you can encrypt the emails on the server side.
The remaining question is: how do you search through the messages? Do we encrypt the message on receiving and keep an decrypted copy of them on the server? Or do we need to encrypt every message on search? Or is the search disabled for encrypted mails?
wiktor-k
commented
2 years ago @MeiKatz. maybe you're thinking about a more complete solution but I'd just like to point out that WKD is for public keys so in theory it's only sufficient that the user uploads their public key and NextCloud exposes just that. Then there is are no problems with secure private key storage because there are no private keys in the loop.
ChristophWurst
commented
2 years ago Or is the search disabled for encrypted mails?
I'd vote for this. Anything else either violates privacy or performance aspects.
MeiKatz
commented
2 years ago @wiktor-k Yes and no – we could release such a feature without the need for decryption of mails. But wouldn't it be great if we had the encryption and decryption in one place? Maybe we should do both in two steps: first the WKD and publishing the public key, afterwards we could add support for server-side decryption.
Btw: one thing I could not solve yet is: many folks provide their NC instance on a subdomain but use their primary domain for their emails. Maybe we should add an option for defining the domain that should be used.
Example:
NC domain: nextcloud.example.org
Used e-mail addresses: alice@example.org
MeiKatz
commented
2 years ago Or is the search disabled for encrypted mails?
I'd vote for this. Anything else either violates privacy or performance aspects.
Yes, maybe with the option to add a more advanced solution in the future. Maybe we could add searching through encrypted emails as an opt-in solution for those who want it.
titanism
commented
10 months ago @forwardemail now supports OpenPGP/WKD as of today @ https://forwardemail.net/faq#do-you-support-openpgpmime-end-to-end-encryption-e2ee-and-web-key-directory-wkd
Feature Request
WKD is an easy and secure way to verify PGP keys. It would be useful to integrate this into a cloud email client. Using a browser extension is definitely not the way to go because; 1) you want to be able to logon on a random computer and use the cloud (someone else's computer) without rely on additional software and 2) as a result you want your cloud email client to be mobile, so on your phone, at university, work, wherever and always have the same functionality. Placing files locally would break the cloud concept.
However, to some extent this does seem to be the thought process with Nextcloud. Like relying on a (paid) 3rd party Android application for calendar/contact synchronization. But that's off topic, just to emphasize that some people don't want to rely on additional 3rd party software to get their personal cloud working.
Summary
Web Key Directories provide an easy way to discover public keys through HTTPS. They provide an important piece to the infrastructure to improve the user experience for exchanging secure emails and files.
Organizations using WKD
Mail Service Providers offering WKD
Known mail clients with WKD Support:
Known mail clients with WKS Support: