WKD lookup (Re: Web Key Service server lookup)
Jürgen Schäpker
Juergen.Schaepker at giepa.de
Sun Nov 6 13:40:57 CET 2016
Hi,
"Werner Koch" <wk at gnupg.org> wrote:
>> How exactly is the domain-part supposed to be determined by the WKD
server?
>Strip everyting up to and including the first '@' from the (UTF_8
>encoded) addr-spec.
My question was apparently ambiguous. My concern is the WKD server. How
does a WKD server know which domain it is serving for when the request
HOST header is modified (e.g. by a reverse proxy) and so the domain-part
cannot be determined from that.
Example scenario:
The WKD server is intended to provide keys for a.com, a.net, a.de,
bass.de, baß.de, Äppelwoi.de etc. WKD is redirected from all those
domains to some server at wkd.unrelated.com. At least from one of those
domains redirection is done by a request-modifying reverse proxy, e.g.
a.net requests reach the WKD with HOST reverse.nota.com.
The lookup hash for email addresses with local-part "joe" is the same
for all domains (if I don't misunderstand something fundamental in the
current draft) so there is always ambiguity. And non-ASCII local-parts
will only match by pure chance because they are not normalized.
I don't think the need to use RFC 3490 ToASCII (or similar) can be
avoided.
best regards,
JS
More information about the Gnupg-devel
mailing list