WKD lookup priority (Is: Web Key Service server lookup)

Bernhard Reiter bernhard at intevation.de
Wed Nov 2 10:37:16 CET 2016

Am Dienstag 01 November 2016 12:49:59 schrieb Jürgen Schäpker:
> Regarding the lookup proposed solution:
> One idea would be to allow parallel lookups and using the results retrieved
> by priority when the timeout expired and the highest priority (WKD) did not
> deliver anything before timeout.

This approach would "lose" some information to an attacker that listens
on the transport, because the DNS request is unencrypted.
Of course this is not a lot of info, but it can be avoided by using WKD
via https and wait for failure until trying the next. Usually the request will 
be fast anyway. So I prefer doing WKD via https first (after internal cache 
checking) and wait for the result before doing something else.


www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20161102/700a8b41/attachment.sig>

More information about the Gnupg-devel mailing list