- 👀 I'm interested in AI, Privacy, Data Protection, Cybersecurity, and computer science.
- 🌱 I would like to spend more time learning what interests me... and it's so much stuff...
| 🧑🏼💼 To know something about me: | 🧑🏼💼 Qualcosa su di me: |
| EN About me | IT Chi sono |
- EN:
- IT:
As I wrote in my article entitled "Digital identity: Web Key Directory as a possible solution", I decided to set up my own Web Key Directory (WKD) to provide more security and to make it easier to identify the public keys of my email addresses.
Web Key Directory is a decentralized OpenPGP key discovery protocol that enables automatic public key retrieval using just an email address. Unlike traditional keyservers:
- 🔒 Domain-controlled: Key owners maintain full control
- 🌐 HTTPS-based: Leverages existing web infrastructure
- 🤖 Automatic: No manual key exchange required
- 🔐 Privacy-preserving: No central database of keys
I'm running the Advanced WKD method across multiple domains with the following architecture:
┌─────────────────┐
│ Email Client │
└────────┬────────┘
│ WKD Request
▼
┌─────────────────┐
│ DNS Resolution │
└────────┬────────┘
│ HTTPS
▼
┌─────────────────┐
│ Nginx Server │
│ ├─ TLS 1.3 │
│ ├─ CORS Headers│
│ └─ HSTS │
└────────┬────────┘
│
▼
┌─────────────────┐
│ WKD Directory │
│ .well-known/ │
│ └─openpgpkey/ │
│ └─domain/ │
│ ├─hu/ │
│ └─policy │
└─────────────────┘
| Feature | Implementation | Purpose |
|---|---|---|
| TLS 1.3 | ✅ Enforced | Modern encryption |
| HSTS | ✅ max-age=63072000 | Prevent downgrade attacks |
| CORS | ✅ Configured | Web tool compatibility |
| CSP | ✅ Restrictive | XSS protection |
| X-Frame-Options | ✅ DENY | Clickjacking prevention |
- HTTP/2 enabled for multiplexing
- Brotli compression for reduced bandwidth
- OCSP stapling for faster TLS handshakes
- Static file serving with nginx caching
Check my WKD implementation status:
| Tool | Provider | Features |
|---|---|---|
| WKD Checker | Miarecki | Both methods |
| DP42 Checker | DP42 | Advanced debugging |
Note: Metacode WKD Checker was discontinued on 1.05.2024
# Test WKD discovery
gpg --locate-external-keys "user at domain dot tld"
# Force WKD if disabled in config
gpg --auto-key-locate clear,wkd --locate-external-keys "user at domain dot tld"
# Debug WKD lookup
gpg --debug-level guru --locate-external-keys "user at domain dot tld" 2>&1 | grep wkdReplace placeholders with actual values:
# Standard fetch
gpg --locate-external-keys "nicola at myGitHubUsername dot eu"
# With explicit WKD
gpg --auto-key-locate clear,wkd --locate-external-keys "nicola at myGitHubUsername dot eu"Use the WKD checker tools to obtain the direct URL, then:
# Using curl with TLS 1.3
curl --tlsv1.3 -o publickey.asc "[URL-from-WKD-checker]"
# Using wget with security options
wget --secure-protocol=TLSv1_3 --max-redirect=0 -O publickey.asc "[URL-from-WKD-checker]"
# Verify the downloaded key
gpg --show-keys publickey.asc# Direct from GitHub
curl https://github.com/nicfab.gpg | gpg --import
# Or using GitHub API
curl https://api.github.com/users/nicfab/gpg_keys | jq -r '.[0].raw_key' | gpg --import| Client | Platform | Version | Auto-discovery |
|---|---|---|---|
| Thunderbird | Cross-platform | 78+ | ✅ Automatic |
| Evolution | Linux | 3.36+ | ✅ Automatic |
| KMail | Linux/KDE | 5.2+ | ✅ Automatic |
| Mutt | Unix-like | 2.0+ | ✅ With GPG |
| ProtonMail Bridge | Desktop | 2.0+ | ✅ On send |
| GPG Suite | macOS | 2020.2+ | ✅ Full |
| Gpg4win | Windows | 3.1.12+ | ✅ Full |
| Claws Mail | Cross-platform | 3.17+ | ✅ With plugin |
- K-9 Mail (Android) - Via OpenKeychain
- FairEmail (Android) - Built-in support
- Canary Mail (iOS) - Premium feature
The WKD protocol uses z-base32 encoded SHA-1 hashes:
# Python implementation example
import hashlib
import base64
def generate_wkd_hash(local_part):
"""Generate WKD hash from email local part"""
# SHA-1 hash of the lowercase local part
sha1 = hashlib.sha1(local_part.lower().encode()).digest()
# Z-base32 encoding (simplified example)
# Actual implementation requires proper z-base32
return base64.b32encode(sha1).decode().lower()[:32]graph LR
A[Email Client] --> B{WKD Method?}
B -->|Direct| C[openpgpkey.domain.tld]
B -->|Advanced| D[openpgpkey.domain.tld/domain.tld]
C --> E[/.well-known/openpgpkey/hu/]
D --> F[/.well-known/openpgpkey/domain.tld/hu/]
; Advanced method (recommended)
openpgpkey.example.com. IN A 203.0.113.1
openpgpkey.example.com. IN AAAA 2001:db8::1
; Direct method alternative
_openpgpkey.example.com. IN TXT "v=wkd1"
# WKD-specific location block
location /.well-known/openpgpkey/ {
default_type "application/octet-stream";
# Security headers
add_header X-Content-Type-Options nosniff always;
# CORS for web-based tools
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS' always;
# Cache control
add_header Cache-Control "public, max-age=7200";
# Disable directory listing
autoindex off;
}| Threat | Mitigation | Status |
|---|---|---|
| Key substitution | HTTPS + HSTS | ✅ Protected |
| Enumeration attacks | Rate limiting | |
| DNS hijacking | DNSSEC | |
| Privacy leaks | No logging of queries | ✅ Configured |
| DDoS attacks | CDN consideration | 📝 Future enhancement |
- 🔑 Key rotation: Annual review recommended
- 📊 Monitoring: Log analysis for anomalies
- 🔄 Backup: Offline key backup mandatory
- 🛡️ Signing keys: Keep offline when possible
- Implement rate limiting for enumeration protection
- Add DNSSEC for DNS integrity
- Consider CDN for global availability
- Automate key rotation workflow
- Add monitoring dashboard
- Implement backup WKD server
My WKD setup integrates seamlessly with Keyoxide, a decentralized identity verification platform. This creates a cryptographically verifiable digital identity that proves:
- ✅ I control the email addresses
- ✅ I own the associated domain names
- ✅ I manage the linked social accounts
- ✅ All without any central authority
In an era of deepfakes, phishing, and identity theft, cryptographic proof of identity is crucial. The combination of:
- WKD: Proves domain control
- OpenPGP: Provides cryptographic signatures
- Keyoxide: Verifies cross-platform identity
Creates an unforgeable chain of trust that definitively answers: "Is this really the person they claim to be?"
You can verify my complete digital identity through Keyoxide:
- Profile accessible at:
keyoxide.org/[email-address] - All proofs cryptographically linked to my OpenPGP keys
- No registration or central database required
This isn't just about technology - it's about digital sovereignty and taking control of our online identities in a decentralized, privacy-respecting way.
My WKD setup integrates seamlessly with Keyoxide, a decentralized identity verification platform. This creates a cryptographically verifiable digital identity.
In an era of deepfakes, phishing, and identity theft, cryptographic proof of identity is crucial. The combination of:
- WKD: Proves domain control through HTTPS
- OpenPGP: Provides unforgeable cryptographic signatures
- Keyoxide: Verifies cross-platform identity ownership
Creates an unbreakable chain of trust that definitively answers: "Is this really the person they claim to be?"
Email Address → WKD → OpenPGP Key → Keyoxide → Verified Identity
↓ ↓ ↓ ↓ ↓
"claimed" "domain "crypto "identity "proven
control" signature" proofs" authentic"
You can verify my complete digital identity through Keyoxide:
- Profile accessible at:
keyoxide.org/[email-address] - All proofs cryptographically linked to my OpenPGP keys
- No registration or central database required
Keyoxide can verify ownership of:
- GitHub/GitLab/Codeberg repositories
- Mastodon and Fediverse accounts
- Personal websites via DNS records
- Social media profiles
- Professional platforms
- And many more...
Each proof is cryptographically signed and impossible to forge.
This isn't just about technology - it's about:
- Digital Sovereignty: You control your identity
- Decentralization: No single point of failure
- Privacy: No tracking or data collection
- Trust: Mathematical proof, not corporate verification
In a world where anyone can claim to be anyone online, WKD + Keyoxide provides the solution: cryptographic certainty.
- Start with Advanced method - More flexible for subdomains
- Test locally first - Use
python -m http.serverfor testing - Validate CORS headers - Essential for web tools
- Monitor access logs - Watch for enumeration attempts
- Document everything - Future you will thank you
Found an issue or have suggestions? Feel free to:
- Open an issue on my repositories
- Contact me through the links above
- Share your WKD implementation experiences
- duxsco - For invaluable WKD implementation insights
- Jonatan Miarecki - For maintaining the excellent WKD checker tool
- GnuPG Team - For creating and maintaining the WKD specification
- Keyoxide Project - For promoting decentralized identity verification
🔄 Last updated: September 2025
🛡️ Security: HTTPS-only with TLS 1.3
🔑 Implementation: Advanced WKD method
📧 Privacy: No direct email exposure