aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--posts/2022/new-pgp-key-id-1793dad5d803a8ffd7451697bb992f9864fad168.rst182
1 files changed, 182 insertions, 0 deletions
diff --git a/posts/2022/new-pgp-key-id-1793dad5d803a8ffd7451697bb992f9864fad168.rst b/posts/2022/new-pgp-key-id-1793dad5d803a8ffd7451697bb992f9864fad168.rst
new file mode 100644
index 0000000..15ce8fb
--- /dev/null
+++ b/posts/2022/new-pgp-key-id-1793dad5d803a8ffd7451697bb992f9864fad168.rst
@@ -0,0 +1,182 @@
+.. title: New PGP key ID 1793DAD5D803A8FFD7451697BB992F9864FAD168
+.. slug: new-pgp-key-id-1793dad5d803a8ffd7451697bb992f9864fad168
+.. date: 2022-04-30 10:35:57 UTC+02:00
+.. tags: chain of trust, gnupg, gpg, infrastructure, openpgp, sequoia, sq, web key directory, web of trust
+.. category: admin
+.. link:
+.. description:
+.. type: text
+
+As my current |PGP| key ``91BD8815FE0040FA7FF5D68754C28F4FF5A1A949`` will be
+expired soon, I have created a new one to replace it.
+
+You can get my new key ``1793DAD5D803A8FFD7451697BB992F9864FAD168`` as well as
+the old one and the cross-signatures required to establish the |chain of trust|
+between the two via Web Key Directory (|WKD|) (which should be used
+automatically by ``gpg >= 2.1.23``).
+
+To not deal with the rather convoluted |gnupg| tooling I have created a
+deployment method for this using |sequoia-pgp|'s |sq|, about which you can read
+in the rest of this article.
+
+.. TEASER_END
+
+Key servers
+===========
+
+Historically, there has been a set of |key servers|, which have been used to
+distribute the public keys of users centrally and/ or in a synchronized
+fashion. These key servers have been widely relied upon, but they suffer(ed)
+from a lot of issues in regards to privacy, stability and speed. Most notably
+the Synchronized Key Server (|SKS|) system collapsed under its technical debt
+and had to be shut down.
+
+To this day there are still other large, non-synchronized keyserver systems
+around (e.g. |hockeypuck|, which drives https://keyserver.ubuntu.com), but they
+all suffer from the fact, that a large centralized setup, in which keys are
+only ever appended, does not scale.
+
+Additionally, not all keyserver systems support all key types or signatures on
+keys, which is problematic, as they can not reflect upon |chain of trust|
+between two or more keys. This is very problematic for the |web of trust| of
+|PGP|.
+
+Web Key Directory
+=================
+
+At the time of writing the |WKD| system is formalized in
+|draft-koch-openpgp-webkey-service-11|. It describes a decentralized way of
+providing public key material via a given domain's webserver, by exposing
+specially crafted files.
+
+WKD Deployment
+==============
+
+Personally, I believe that the |gpg| commandline interface is incredibly
+convoluted and very complex. I therefore used |sequoia-pgp|'s |sq| instead to
+combine PGP public key material and prepare the required directory structure.
+
+In my personal |wkd| project I assembled a simple system consisting of easy to
+prepare directories in which to place PGP public keys, which are converted to a
+keyring using |sq keyring join|, converted into a |WKD| structure using |sq wkd
+generate| and synchronized using |rsync|.
+
+As I do not provide an ``openpgpkey`` subdomain, I am using a direct domain
+directory structure (see |WKDHosting| for further details).
+
+Using keys from WKD
+===================
+
+In theory all that is required for |gpg| to make use of |WKD| is a version
+``>=2.1.23``. However, its use can be somewhat confusing:
+
+.. code:: sh
+
+ gpg --locate-keys dave@sleepmap.de
+
+The above only returns the new key
+``1793DAD5D803A8FFD7451697BB992F9864FAD168``, but not the old
+``91BD8815FE0040FA7FF5D68754C28F4FF5A1A949``. It is entirely opaque to the user
+as to why.
+
+Meanwhile with |sq wkd get| it is possible to return the public key material of
+both keys:
+
+.. code:: sh
+
+ sq wkd get dave@sleepmap.de
+
+The certificates can be inspected directly using |sq inspect|:
+
+.. code:: sh
+
+ sq inspect --certifications <(sq wkd get dave@sleepmap.de)
+
+Additionally, the certificates can be imported into an existing |gnupg| based
+keyring:
+
+.. code:: sh
+
+ gpg --import <(sq wkd get dave@sleepmap.de)
+
+
+Using |WKD|, the need for providing a separate PGP public key file in the
+context of this website has been made obsolete and I have therefore instead
+replaced it with plain mentions of the PGP key IDs on the `about page
+<https://sleepmap.de/about/>`_.
+
+.. |PGP| raw:: html
+
+ <a target="blank" href="https://en.wikipedia.org/wiki/Pretty_Good_Privacy">PGP</a>
+
+.. |chain of trust| raw:: html
+
+ <a target="blank" href="https://en.wikipedia.org/wiki/Chain_of_trust">chain of trust</a>
+
+.. |web of trust| raw:: html
+
+ <a target="blank" href="https://en.wikipedia.org/wiki/Web_of_trust">web of trust</a>
+
+.. |WKD| raw:: html
+
+ <a target="blank" href="https://wiki.gnupg.org/WKD">WKD</a>
+
+.. |gnupg| raw:: html
+
+ <a target="blank" href="https://gnupg.org/">gnupg</a>
+
+.. |sequoia-pgp| raw:: html
+
+ <a target="blank" href="https://sequoia-pgp.org/">sequoia-pgp</a>
+
+.. |sq| raw:: html
+
+ <a target="blank" href="https://man.archlinux.org/man/sq.1">sq</a>
+
+.. |key servers| raw:: html
+
+ <a target="blank" href="https://en.wikipedia.org/wiki/Key_server_(cryptographic)">key servers</a>
+
+.. |SKS| raw:: html
+
+ <a target="blank" href="https://github.com/SKS-Keyserver/sks-keyserver">SKS</a>
+
+.. |hockeypuck| raw:: html
+
+ <a target="blank" href="https://github.com/hockeypuck/hockeypuck">hockeypuck</a>
+
+.. |draft-koch-openpgp-webkey-service-11| raw:: html
+
+ <a target="blank" href="https://tools.ietf.org/id/draft-koch-openpgp-webkey-service-11.html">draft-koch-openpgp-webkey-service-11</a>
+
+.. |gpg| raw:: html
+
+ <a target="blank" href="https://man.archlinux.org/man/gpg.1">gpg</a>
+
+.. |wkd| raw:: html
+
+ <a target="blank" href="https://git.sleepmap.de/dave/wkd.git/">wkd</a>
+
+.. |sq keyring join| raw:: html
+
+ <a target="blank" href="https://man.archlinux.org/man/sq-keyring-join.1">sq keyring join</a>
+
+.. |sq wkd generate| raw:: html
+
+ <a target="blank" href="https://man.archlinux.org/man/sq-wkd-generate.1">sq wkd generate</a>
+
+.. |rsync| raw:: html
+
+ <a target="blank" href="https://man.archlinux.org/man/rsync.1">rsync</a>
+
+.. |WKDHosting| raw:: html
+
+ <a target="blank" href="https://wiki.gnupg.org/WKDHosting">WKDHosting</a>
+
+.. |sq wkd get| raw:: html
+
+ <a target="blank" href="https://man.archlinux.org/man/sq-wkd-get.1">sq wkd get</a>
+
+.. |sq inspect| raw:: html
+
+ <a target="blank" href="https://man.archlinux.org/man/sq-inspect.1">sq inspect</a>