Open Bug 1695048 Opened 4 years ago Updated 2 years ago

Allow publishing a personal key with a WKS request

Categories

(MailNews Core :: Security: OpenPGP, enhancement)

Product:
MailNews Core
Component:
Security: OpenPGP
Type:
enhancement

Tracking

(Not tracked)

People

(Reporter: ns-bugmozilla-19580, Unassigned)

References

Details

Attachments

(1 file)

Screenshot from 2021-09-22 19-40-13.png
26.43 KB, image/png
Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

Enigmail supported WKD as source for GPG keys and creating WKS publication requests as well as the confirmations.
See these pages for more information:
https://wiki.gnupg.org/WKD
https://wiki.gnupg.org/WKS
https://www.gnupg.org/documentation/manuals/gnupg/gpg_002dwks_002dclient.html

For normal users it would be good to implement WKD as source for fetching GPG and WKS to be able to submit publication requests to a WKS server.

Component: Untriaged → Security: OpenPGP
Product: Thunderbird → MailNews Core

I wonder if this may be a bug? It is claimed that WKD is supported - I found at least two references

https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq#w_how-do-i-get-the-public-keys-of-my-correspondents
https://wiki.mozilla.org/Thunderbird:OpenPGP:Status

According to the second article it appears to be done from TB 77.

However, sniffing network traffic shows TB is only contacting the keys.openpgp.org, but not my WKD server (which is working fine in the advanced mode, according to:

https://metacode.biz/openpgp/web-key-directory

.... I also had some success when trying to use the dialogs in "OpenPGP key manager" -> Keyserver -> Discovery keys online, though sniffing didn't confirm it's really using the WKD server (I may have missed that, or it is somewhere in the cache).

Yes, please bring back WKS lookups. Thunderbird+Enigmail supported this by default and it made fetching people's public key a breeze and automatic. Protonmail publishes all their users public keys in WKS so before with Engimail, e-mailing someone that uses Proton it'd instantly pull down their proper key. This is really a step backwards not porting this feature over to Thunderbird's native GPG.

(In reply to Ladislav Láska from comment #1)

I wonder if this may be a bug? It is claimed that WKD is supported - I found at least two references

This made me think and check again.
I could discover a request to openpgpkey.mydomain.de in the network tab and it found my key successfully. The request was initiated by wkdLookup.jsm.
After I discarded this key proposal, Thunderbird connected to keys.openpgp.org (keyserver.jsm).

So, this part looks fine to me. Still, I am missing the possibility to publish my keys in the WKD (that's what WKS is for).
I am using Thunderbird 78.9.0

Blocks: 1717056
Blocks: 1717063

I tried to fetch krakonos@krakonos.org from daily and it worked.

Your key is not available on keys.openpgp.org, the console says that, and seems to have fetch your key from mail.krakonos.org:

console.debug: "searchKeysOnInternet no data in keys.openpgp.org"
console.debug: [{prio:10, host:"mail.krakonos.org", type:15, nsclass:1, ttl:414}, {prio:20, host:"jabberwock.ucw.cz", type:15, nsclass:1, ttl:414}]

I'm renaming this ticket to be specifically about publishing a personal key with WKS.

Summary: GPG: Implement WKD and WKS requests → Allow publishing a personal key with a WKS request

Thanks, that looks good! My key is not at keys.openpgp.org on purpose. Publishing the key would be fine, though I don't plan on implementing this specific mechanism on my infrastructure.

No longer blocks: 1717056
See Also: → 1717056
No longer blocks: 1717063
See Also: → 1717063
Status: UNCONFIRMED → NEW
Ever confirmed: true

For WKS publishing, the Enigmail implementation had called functionality from GnuPG.
Because Thunderbird doesn't have GnuPG available by default, it's not as easy for us to do.

I have a working WKS on my mail server.
For the moment the way I found to send my public key to my WKS with Thunderbird (in Linux) is by :

  1. Sending with Thunderbird an encrypted mail to my WKS mail adress (wks-submission@example.com), with my public key (automaticly send by Thunderbird)
  2. I receive a response from the server with a file containing the nonce. I save this file
  3. I give this file to gpg-wks-client and pipe the response mail to msmtp to send it back to the WKS (the command involved is /usr/lib/gnupg/gpg-wks-client --read < nonce_file | msmtp --read-envelope-from --read-recipients --tls=on --auth=on --host=smtp.example.com --port=587 --user=user@example.com and giving my mail password)
  4. I receive a confirmation that my key has been added to the WKS

So instead I tried to look at the mail I send in 3. with this method to see what is needed for the WKS to confirm.
First here is the file I receive in 2 :

type: confirmation-request
sender: wks-submission@example.com
address: emailoftheclient@example.com
fingerprint: FINGERPRINT******
nonce: NONCENUMBER******

Then here is the encrypted mail made by gpg-wks-client as a response in 3 to have an idea of the form it has to be :

From: emailoftheclient@example.com
To: wks-submission@example.com
Subject: Key publication confirmation
Wks-Draft-Version: 3
MIME-Version: 1.0
Content-Type: multipart/encrypted; protocol="application/pgp-encrypted";
	boundary="=-=01-ux5whbsduqqs45t5fiko=-="
Date: Sat, 08 Apr 2023 16:12:17 +0000


--=-=01-ux5whbsduqqs45t5fiko=-=
Content-Type: application/pgp-encrypted

Version: 1

--=-=01-ux5whbsduqqs45t5fiko=-=
Content-Type: application/octet-stream

-----BEGIN PGP MESSAGE-----

hQGMA4+1HXVlzkutAQv/ZP2eEcPVGpkt2t7ZcdsXq9XOuTPVr2XXUtP/H5WyOaRw
4FM+c4xLDQvbnFhmEhWhY5mAOe5B1BJ6stHojLveAG2kcPTZINAOYeqXPJqkj4AC
CGTn9uETpJcIjBJb5PP0emTODC3+HaxYWCJd6uOrw2AKTgBdb/jqlM8aYVXj0nam
4jv98+hwIz4m4G6K8Sii6VslkrYu8nbptwWqC5TsNKi2Dt8gUCkm5/l6xsRDWvT
gRra2inPxpLAkS277DMZZwlPBMbmpA6ZsekEIpYCIkFO7/xf9vi1fHaXHj1pW4S1
EyQuUeBVAAsD1jbMzlLdlvdjcYLH137ur4kg8Q7KbR8FBXQWeYeR4YpkBhrBqLwo
KEP10oapP3Nt2jjO4xQCkGPV6nTPJZPlC+WAqgFD011n1t2XDwSffysQM2kLaHMb
evwYMJ7TU+mbVVKAze3AWISD+GOIqf8GHR2VCaa71EjSP+a9DSv9524obYq50+O2
VDmYDy5R+4rmCYAsiwxEhQIMA1DAWfj19X7WARAA1XjUmGtKEgKWfSa5xu1B4/ND
m0bBOrh0arE889QcezyiL+iO0M0emR/B1w0N9S2KJ/vaCSkAtL1u9vXhfyr17xBz
jIlPATmc79x856CyXZ6WdeqGcYt5EA0Jerghey8xaKeEJwedqkzV+r8qQg3HK9XV
SEIlsZqAojQ0ViQnVU84tUtNJucJKeIbn+1ZQIhUSvXqxKjddn17wsxYlencwxnd
er8xereIIYnGSBZWsC3LlRx0qJ3VJSnqZ8LIQRXQ0jPUJCh4A445uO6wa87snJ4B
tf7RwrsNIzMGNgOrbx0OLA5+hM9P4lvW7BNiTdKCXyxuXI0gZqqudrcubVY6weyn
oOm4nSm2+gCJoCRR+EGHON6u1srq4P1nq++dxQ4vi+XpU0bjHFdBymOLtHODs/7M
0N7pAgdkmLIOJjDdjbFvsm8D5sEV/Vnz6fJz1QcIs8XwpWNfoz3CPtKWjC/5MuxF
bQ0a2bQ8PbpzcrlXQHcV3yc1mmhg/92CD1fjIilaff6R+VnbLbfR38nQZuNBxK9n
rRgm2aMhe/Yba0M7se6/llUJ8sUkZGmkrUuqQu8Td1LDmm46IVGmwLSXVj632Odk
61JO2iNt16dO8XBr89O38/BaxszOFpPK1ZiRLyRkQu8i46YepKLM311VSUOb/SBw
XRTU2bxhbqLmycqkVh7SwEABuLf6ZMLIsQ/x7p03z9XSppvs+9AbTd9EF3Q+rbCk
3QGUDxUZ1koMi9fX0/Q0NheXxMAF+JEL1XUlLe4XaG3lDZQRBFHEZWN8h0Bxbt9W
+XU4/pnMyGey/VOPqN1/SgKJbiGVZhMe4+8EHdArrglkbOw2HvupuAIm9qWTXl90
Kas3rxIthYBsAhg+9xXdS5p36hDIki9lWdhpTH+oQyxcHbEipc/ShCId4MGHgXTR
D5xob86QHTueI+HiSFBep9TIQWhA9VauHh2gWd0bVU+uZ9zGQXFK5qC1NRX1E28s
4NJLC7cHtBEGG5azXHYt4WgafEeWrGvu0lqtAf36PTAd
=zWh3
-----END PGP MESSAGE-----

--=-=01-ux5whbsduqqs45t5fiko=-=--

And to finish if I save this mail to a file and open it with Thunderbird, it can be decrypted to see what is inside. It is an ecrypted mail from the client mail adress to the WKS mail adress (as seen in the encrypted mail) with "Key publication confirmation" as a Subject. The body of the mail is empty. It doesn't include the public key but it contain a file as an attachement. Here is what what's inside this file :

type: confirmation-response
sender: wks-submission@example.com
address: emailoftheclient@example.com
nonce: NONCENUMBER******

So I tried to reproduce this mail by Thunderbird, sending an encrypted mail to the WKS address with "Key publication confirmation" as a subjet, without automaticly sending my public key, with an empty body and attaching the same file as just above.
But it doesn't work.
If I look at the source code of this response mail made by Thunderbird, there are a lot more than what is made by gpg-wks-client. So I suppose it's because of this it doesn't work (if needed I can put here the format of the Thunderbird reponse).
The only error I see in gpg-wks-server on my WKS server is "unexpected 'application/x-troff-man' message part"

To conclude and to make Thunderbird able to send public key to a WKS, it has to make a response with the good format and with the good attachement as seen below.
I'm not a developper so I will not be able to do a lot more.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: