OpenPGP WKD Deployment Profile
| Status | Draft |
| Version | 2026-07-08 |
| Author | Colin Knapp |
| Source | openpgp-wkd-profile.md |
Abstract
This profile describes how this SnappyMail deployment publishes and discovers OpenPGP public keys using OpenPGP Web Key Directory (WKD).
It relies on existing interoperable mechanisms instead of defining a replacement discovery path.
1. Publication
Servers publish binary OpenPGP public key material at the standard WKD paths:
/.well-known/openpgpkey/hu/{hash}?l={local}
/.well-known/openpgpkey/{domain}/hu/{hash}?l={local}
/.well-known/openpgpkey/policy
The {hash} value is the z-base32 encoded SHA-1 digest of the lowercase ASCII local-part.
The response body is binary OpenPGP public key material with Content-Type: application/octet-stream.
The deployment MUST NOT expose list or directory endpoints. Unknown keys return 404.
2. Direct and Advanced Methods
Direct WKD serves keys from the mail domain:
https://example.com/.well-known/openpgpkey/hu/{hash}?l=alice
Advanced WKD serves keys from openpgpkey.{domain} and includes the mail domain in the path:
https://openpgpkey.example.com/.well-known/openpgpkey/example.com/hu/{hash}?l=alice
For advanced delegation, DNS SHOULD point openpgpkey.example.com at the service that hosts the WKD tree.
A CNAME is usually sufficient:
openpgpkey.example.com. 300 IN CNAME wkd-host.example.net.
3. Discovery and Import
Outbound mail clients SHOULD try WKD when a recipient has no local server-side GnuPG public key.
A discovered key is imported only when it contains a UID matching the recipient email address and has an encryption-capable primary key or subkey.
Messages are encrypted automatically only when every recipient has a usable key.
Internal same-domain messages keep the stricter local policy: they require automatic GnuPG signing and encryption before sending.
4. Related DNS Records
RFC 7929 defines DANE OPENPGPKEY records. This profile treats DANE as related support, not a v1 requirement.
TXT pointer records MAY be used as a non-standard local extension, but they are not the primary discovery mechanism and MUST NOT replace WKD interoperability.
5. Privacy Considerations
WKD does not publish plaintext email addresses in filenames, but the hash is enumerable by guessing common local-parts.
The real privacy control is the absence of directory listings or index endpoints.
This profile publishes only public keys from server-stored GnuPG keyrings. Browser-local OpenPGP.js keys are not published.
6. References
- OpenPGP Web Key Directory draft
- RFC 7929: DNS-Based Authentication of Named Entities for OpenPGP
- RFC 8615: Well-Known Uniform Resource Identifiers