OpenPGP WKD Deployment Profile

StatusDraft
Version2026-07-08
AuthorColin Knapp
Sourceopenpgp-wkd-profile.md

Abstract

This profile describes how this SnappyMail deployment publishes and discovers OpenPGP public keys using OpenPGP Web Key Directory (WKD).

It relies on existing interoperable mechanisms instead of defining a replacement discovery path.

1. Publication

Servers publish binary OpenPGP public key material at the standard WKD paths:

/.well-known/openpgpkey/hu/{hash}?l={local}
/.well-known/openpgpkey/{domain}/hu/{hash}?l={local}
/.well-known/openpgpkey/policy

The {hash} value is the z-base32 encoded SHA-1 digest of the lowercase ASCII local-part.

The response body is binary OpenPGP public key material with Content-Type: application/octet-stream.

The deployment MUST NOT expose list or directory endpoints. Unknown keys return 404.

2. Direct and Advanced Methods

Direct WKD serves keys from the mail domain:

https://example.com/.well-known/openpgpkey/hu/{hash}?l=alice

Advanced WKD serves keys from openpgpkey.{domain} and includes the mail domain in the path:

https://openpgpkey.example.com/.well-known/openpgpkey/example.com/hu/{hash}?l=alice

For advanced delegation, DNS SHOULD point openpgpkey.example.com at the service that hosts the WKD tree.

A CNAME is usually sufficient:

openpgpkey.example.com. 300 IN CNAME wkd-host.example.net.

3. Discovery and Import

Outbound mail clients SHOULD try WKD when a recipient has no local server-side GnuPG public key.

A discovered key is imported only when it contains a UID matching the recipient email address and has an encryption-capable primary key or subkey.

Messages are encrypted automatically only when every recipient has a usable key.

Internal same-domain messages keep the stricter local policy: they require automatic GnuPG signing and encryption before sending.

4. Related DNS Records

RFC 7929 defines DANE OPENPGPKEY records. This profile treats DANE as related support, not a v1 requirement.

TXT pointer records MAY be used as a non-standard local extension, but they are not the primary discovery mechanism and MUST NOT replace WKD interoperability.

5. Privacy Considerations

WKD does not publish plaintext email addresses in filenames, but the hash is enumerable by guessing common local-parts.

The real privacy control is the absence of directory listings or index endpoints.

This profile publishes only public keys from server-stored GnuPG keyrings. Browser-local OpenPGP.js keys are not published.

6. References