Adding support for fetching GPG key using WKD protocol

Wiktor Kwapisiewicz wiktor at metacode.biz
Wed Jul 4 21:27:23 UTC 2018


Hello mutt-dev,

I would like to extend mutt to add fetching GPG keys over Web Key 
Directory protocol.

(I've previously created an issue on gitlab [0] but I'll summarize the 
thing here for the broader audience).

Web Key Directory is a new scheme for GPG key discovery. It converts the 
e-mail address to HTTPS URL and fetches the key from there. It is 
already supported by some e-mail clients (EnigMail, GpgOL).

For example kernel.org has it enabled and Linus' key is at: 
https://kernel.org/.well-known/openpgpkey/hu/pf113mfnx1f3eb1yiwhsipa91xfc7o4x

As GnuPG 2 has it enabled by default "gpg --locate-key 
torvalds at kernel.org" will fetch that key.

I've been exploring mutt's source code and the change would mostly be 
enabling external lookup for keys that are not locally present [1] when 
encryption is explicitly turned on (gpgme backend).

That raises some privacy issues, the same was discussed on gnupg-devel 
ML [2] (gpg by default will fetch the key via WKD when encrypting to a 
recipient but will *not* fetch the key when verifying signatures).

The question is how to do it well. Maybe ask the user if they want to 
search for the key using WKD if it's not locally present?

An option would be the first choice but I worry about it not being used 
at all (as people rarely enable non-standard features [3]).

Thank you for your consideration!

Kind regards,
Wiktor

[0]: https://gitlab.com/muttmua/mutt/issues/55

[1]: gpgme_set_keylist_mode(ctx, 
GPGME_KEYLIST_MODE_LOCAL|GPGME_KEYLIST_MODE_EXTERN); in 
crypto-gpgme.c#get_candidates.

[2]: https://lists.gnupg.org/pipermail/gnupg-devel/2017-August/033021.html

[3]: https://gitlab.com/muttmua/mutt/issues/3

-- 
https://metacode.biz/@wiktor


More information about the Mutt-dev mailing list