WKD lookup priority (Is: Web Key Service server lookup)
Bernhard Reiter
bernhard at intevation.de
Wed Nov 2 10:37:16 CET 2016
Am Dienstag 01 November 2016 12:49:59 schrieb Jürgen Schäpker:
> Regarding the lookup proposed solution:
> One idea would be to allow parallel lookups and using the results retrieved
> by priority when the timeout expired and the highest priority (WKD) did not
> deliver anything before timeout.
This approach would "lose" some information to an attacker that listens
on the transport, because the DNS request is unencrypted.
Of course this is not a lot of info, but it can be avoided by using WKD
via https and wait for failure until trying the next. Usually the request will
be fast anyway. So I prefer doing WKD via https first (after internal cache
checking) and wait for the result before doing something else.
Best,
Bernhard
--
www.intevation.de/~bernhard +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20161102/700a8b41/attachment.sig>
More information about the Gnupg-devel
mailing list