# OpenPGP WKD Deployment Profile

> **Status:** Draft  
> **Version:** 2026-07-08  
> **Author:** Colin Knapp

## Abstract

This profile describes how this SnappyMail deployment publishes and discovers OpenPGP public keys using OpenPGP Web Key Directory (WKD). It relies on existing interoperable mechanisms instead of defining a replacement discovery path.

## Publication

Servers publish binary OpenPGP public key material at the standard WKD paths:

```text
/.well-known/openpgpkey/hu/{hash}?l={local}
/.well-known/openpgpkey/{domain}/hu/{hash}?l={local}
/.well-known/openpgpkey/policy
```

The `{hash}` value is the z-base32 encoded SHA-1 digest of the lowercase ASCII local-part. The response body is binary OpenPGP public key material with `Content-Type: application/octet-stream`.

The deployment MUST NOT expose list or directory endpoints. Unknown keys return `404`.

## Direct and Advanced Methods

Direct WKD serves keys from the mail domain:

```text
https://example.com/.well-known/openpgpkey/hu/{hash}?l=alice
```

Advanced WKD serves keys from `openpgpkey.{domain}` and includes the mail domain in the path:

```text
https://openpgpkey.example.com/.well-known/openpgpkey/example.com/hu/{hash}?l=alice
```

For advanced delegation, DNS SHOULD point `openpgpkey.example.com` at the service that hosts the WKD tree. A CNAME is usually sufficient:

```text
openpgpkey.example.com. 300 IN CNAME wkd-host.example.net.
```

## Discovery and Import

Outbound mail clients SHOULD try WKD when a recipient has no local server-side GnuPG public key. A discovered key is imported only when it contains a UID matching the recipient email address and has an encryption-capable primary key or subkey.

Messages are encrypted automatically only when every recipient has a usable key. Internal same-domain messages keep the stricter local policy: they require automatic GnuPG signing and encryption before sending.

## Related DNS Records

RFC 7929 defines DANE `OPENPGPKEY` records. This profile treats DANE as related support, not a v1 requirement.

TXT pointer records MAY be used as a non-standard local extension, but they are not the primary discovery mechanism and MUST NOT replace WKD interoperability.

## Privacy Considerations

WKD does not publish plaintext email addresses in filenames, but the hash is enumerable by guessing common local-parts. The real privacy control is the absence of directory listings or index endpoints.

This profile publishes only public keys from server-stored GnuPG keyrings. Browser-local OpenPGP.js keys are not published.

## References

- OpenPGP Web Key Directory draft
- RFC 7929: DNS-Based Authentication of Named Entities for OpenPGP
- RFC 8615: Well-Known Uniform Resource Identifiers
