Web Key Directory

Guilhem Moulin guilhem at fripost.org
Fri May 13 17:03:15 CEST 2016


In the Web Key Directory Update Protocol section,

  125 3. The provider checks that the received key has a User ID which
  126     - matches an account name of the provider,
  127     - and that the from address matches that account.

In the second requirement, do you mean the (SMTP/LMTP) envelope from
address, or the RFC 5322 From: header value?  I don't really understand
the reason behind this requirement anyway, as in either case the value
is easily forgeable.  Is it meant to discriminate between multiple User
IDs each matching an account name of the provider?  Why not sending the
challenge to all matching addresses?  (Also unlike Sender:, the From:
header value can be set to multiple addresses.)

Also, it would be convenient to have the ability to filter out the
confirmation requests client side.  If the Content-Type value is
registered and reserved for that use only one could use it as selector;
otherwise how about requiring the presence of another X- header?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: </pipermail/attachments/20160513/a2d32a2b/attachment.sig>

More information about the Gnupg-devel mailing list