mirror of
https://codeberg.org/keyoxide/keyoxide-web.git
synced 2024-12-24 15:59:28 -07:00
44 lines
2.4 KiB
Markdown
44 lines
2.4 KiB
Markdown
|
# Uploading keys using web key directory
|
||
|
|
||
|
[[toc]]
|
||
|
|
||
|
## Web key directory
|
||
|
|
||
|
[Web key directory](https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/) or WKD refers to the method of uploading one's public key to their website in a specific location to make it easily accessible by other services supporting WKD. The key will be discoverable using an identifier similar to an email address: **username@domain.org**.
|
||
|
|
||
|
The benefit of WKD is having full control over the key while still having it widely available. It does however require a domain and some form of file hosting. Luckily, [openpgp.org](https://keys.openpgp.org/about/usage#wkd-as-a-service) have made a WKD-as-a-service. Read more at the end of the guide.
|
||
|
|
||
|
It exists in two variants: the Direct setup and the Advanced setup. Despite their names, both require roughly the same steps.
|
||
|
|
||
|
## The Direct setup
|
||
|
|
||
|
To make your keys available via WKD using the Direct setup, you'll need two paths on your server:
|
||
|
|
||
|
**https://domain.org/.well-known/openpgpkey/policy**: this is an empty file
|
||
|
|
||
|
**https://domain.org/.well-known/openpgpkey/hu/LOCALPART**: this is the binary public key (so NOT ASCII armored)
|
||
|
|
||
|
The LOCALPART above is actually the username hashed using the SHA-1 algorithm and encoded using the Z-Base-32 method. As it's not humanly possible to compute this by ourselves, Keyoxide provides a [small utility to do this for you](/util/wkd).
|
||
|
|
||
|
So if you wish to make your key available as **jimothy@dm.com**, according to the [small utility](/util/wkd), the URL would become:
|
||
|
|
||
|
`https://dm.com/.well-known/openpgpkey/hu/n9utc41qty791upt63rm5xtiudabmw6m`
|
||
|
|
||
|
## The Advanced setup
|
||
|
|
||
|
While not necessary if the Direct setup works, there is a second setup to make WKD work: the Advanced setup. The paths needed are:
|
||
|
|
||
|
**https://openpgpkey.domain.org/.well-known/openpgpkey/domain.org/policy**: this is an empty file
|
||
|
|
||
|
**https://openpgpkey.domain.org/.well-known/openpgpkey/domain.org/hu/LOCALPART**: this is the binary public key (so NOT ASCII armored)
|
||
|
|
||
|
Indeed, quite similar to the Direct setup, except for the **openpgpkey** subdomain and the additional **domain.org** in the path of the public key.
|
||
|
|
||
|
The public key for **jimothy@dm.com** would be available at:
|
||
|
|
||
|
`https://openpgpkey.dm.com/.well-known/openpgpkey/hu/dm.com/n9utc41qty791upt63rm5xtiudabmw6m`
|
||
|
|
||
|
## WKD-as-a-service
|
||
|
|
||
|
In case hosting is problem, Openpgp.org has a handy [WKD-as-a-service](https://keys.openpgp.org/about/usage#wkd-as-a-service).
|