path: root/posts/2022/new-pgp-key-id-1793dad5d803a8ffd7451697bb992f9864fad168.rst

.. title: New PGP key ID 1793DAD5D803A8FFD7451697BB992F9864FAD168
.. slug: new-pgp-key-id-1793dad5d803a8ffd7451697bb992f9864fad168
.. date: 2022-04-30 10:35:57 UTC+02:00
.. tags: chain of trust, gnupg, gpg, infrastructure, openpgp, sequoia, sq, web key directory, web of trust
.. category: admin
.. link: 
.. description: 
.. type: text

As my current |PGP| key ``91BD8815FE0040FA7FF5D68754C28F4FF5A1A949`` will be
expired soon, I have created a new one to replace it.

You can get my new key ``1793DAD5D803A8FFD7451697BB992F9864FAD168`` as well as
the old one and the cross-signatures required to establish the |chain of trust|
between the two via Web Key Directory (|WKD|) (which should be used
automatically by ``gpg >= 2.1.23``).

To not deal with the rather convoluted |gnupg| tooling I have created a
deployment method for this using |sequoia-pgp|'s |sq|, about which you can read
in the rest of this article.

.. TEASER_END

Key servers
===========

Historically, there has been a set of |key servers|, which have been used to
distribute the public keys of users centrally and/ or in a synchronized
fashion. These key servers have been widely relied upon, but they suffer(ed)
from a lot of issues in regards to privacy, stability and speed. Most notably
the Synchronized Key Server (|SKS|) system collapsed under its technical debt
and had to be shut down.

To this day there are still other large, non-synchronized keyserver systems
around (e.g. |hockeypuck|, which drives https://keyserver.ubuntu.com), but they
all suffer from the fact, that a large centralized setup, in which keys are
only ever appended, does not scale.

Additionally, not all keyserver systems support all key types or signatures on
keys, which is problematic, as they can not reflect upon |chain of trust|
between two or more keys. This is very problematic for the |web of trust| of
|PGP|.

Web Key Directory
=================

At the time of writing the |WKD| system is formalized in
|draft-koch-openpgp-webkey-service-11|. It describes a decentralized way of
providing public key material via a given domain's webserver, by exposing
specially crafted files.

WKD Deployment
==============

Personally, I believe that the |gpg| commandline interface is incredibly
convoluted and very complex. I therefore used |sequoia-pgp|'s |sq| instead to
combine PGP public key material and prepare the required directory structure.

In my personal |wkd| project I assembled a simple system consisting of easy to
prepare directories in which to place PGP public keys, which are converted to a
keyring using |sq keyring join|, converted into a |WKD| structure using |sq wkd
generate| and synchronized using |rsync|.

As I do not provide an ``openpgpkey`` subdomain, I am using a direct domain
directory structure (see |WKDHosting| for further details).

Using keys from WKD
===================

In theory all that is required for |gpg| to make use of |WKD| is a version
``>=2.1.23``. However, its use can be somewhat confusing:

.. code:: sh

  gpg --locate-keys dave@sleepmap.de

The above only returns the new key
``1793DAD5D803A8FFD7451697BB992F9864FAD168``, but not the old
``91BD8815FE0040FA7FF5D68754C28F4FF5A1A949``. It is entirely opaque to the user
as to why.

Meanwhile with |sq wkd get| it is possible to return the public key material of
both keys:

.. code:: sh

  sq wkd get dave@sleepmap.de

The certificates can be inspected directly using |sq inspect|:

.. code:: sh

  sq inspect --certifications <(sq wkd get dave@sleepmap.de)

Additionally, the certificates can be imported into an existing |gnupg| based
keyring:

.. code:: sh

  gpg --import <(sq wkd get dave@sleepmap.de)


Using |WKD|, the need for providing a separate PGP public key file in the
context of this website has been made obsolete and I have therefore instead
replaced it with plain mentions of the PGP key IDs on the `about page
<https://sleepmap.de/about/>`_.

.. |PGP| raw:: html

  <a target="blank" href="https://en.wikipedia.org/wiki/Pretty_Good_Privacy">PGP</a>

.. |chain of trust| raw:: html

  <a target="blank" href="https://en.wikipedia.org/wiki/Chain_of_trust">chain of trust</a>

.. |web of trust| raw:: html

  <a target="blank" href="https://en.wikipedia.org/wiki/Web_of_trust">web of trust</a>

.. |WKD| raw:: html

  <a target="blank" href="https://wiki.gnupg.org/WKD">WKD</a>

.. |gnupg| raw:: html

  <a target="blank" href="https://gnupg.org/">gnupg</a>

.. |sequoia-pgp| raw:: html

  <a target="blank" href="https://sequoia-pgp.org/">sequoia-pgp</a>

.. |sq| raw:: html

  <a target="blank" href="https://man.archlinux.org/man/sq.1">sq</a>

.. |key servers| raw:: html

  <a target="blank" href="https://en.wikipedia.org/wiki/Key_server_(cryptographic)">key servers</a>

.. |SKS| raw:: html

  <a target="blank" href="https://github.com/SKS-Keyserver/sks-keyserver">SKS</a>

.. |hockeypuck| raw:: html

  <a target="blank" href="https://github.com/hockeypuck/hockeypuck">hockeypuck</a>

.. |draft-koch-openpgp-webkey-service-11| raw:: html

  <a target="blank" href="https://tools.ietf.org/id/draft-koch-openpgp-webkey-service-11.html">draft-koch-openpgp-webkey-service-11</a>

.. |gpg| raw:: html

  <a target="blank" href="https://man.archlinux.org/man/gpg.1">gpg</a>

.. |wkd| raw:: html

  <a target="blank" href="https://git.sleepmap.de/dave/wkd.git/">wkd</a>

.. |sq keyring join| raw:: html

  <a target="blank" href="https://man.archlinux.org/man/sq-keyring-join.1">sq keyring join</a>

.. |sq wkd generate| raw:: html

  <a target="blank" href="https://man.archlinux.org/man/sq-wkd-generate.1">sq wkd generate</a>

.. |rsync| raw:: html

  <a target="blank" href="https://man.archlinux.org/man/rsync.1">rsync</a>

.. |WKDHosting| raw:: html

  <a target="blank" href="https://wiki.gnupg.org/WKDHosting">WKDHosting</a>

.. |sq wkd get| raw:: html

  <a target="blank" href="https://man.archlinux.org/man/sq-wkd-get.1">sq wkd get</a>

.. |sq inspect| raw:: html

  <a target="blank" href="https://man.archlinux.org/man/sq-inspect.1">sq inspect</a>