AW: WKD lookup priority (Is: Web Key Service server lookup)

Jürgen Schäpker Juergen.Schaepker at giepa.de
Wed Nov 2 13:01:42 CET 2016


Hi,

>This approach would "lose" some information to an attacker that listens
>on the transport, because the DNS request is unencrypted.
>Of course this is not a lot of info, but it can be avoided by using WKD
>via https and wait for failure until trying the next. Usually the request will 
>be fast anyway. So I prefer doing WKD via https first (after internal cache 
>checking) and wait for the result before doing something else.

In practice this would mean waiting maybe 60 or 120 seconds for WKD to fail (if system timeouts are used) before starting other lookups.

I think it should be customizable if other lookups are started in parallel and the timeout period waiting for WKD.


Best regards,
JS


More information about the Gnupg-devel mailing list