WKD lookup (Re: Web Key Service server lookup)

Jürgen Schäpker Juergen.Schaepker at giepa.de
Sun Nov 6 13:40:57 CET 2016


Hi,

"Werner Koch" <wk at gnupg.org> wrote:

  >> How exactly is the domain-part supposed to be determined by the WKD 
server?

 >Strip everyting up to and including the first '@' from the (UTF_8
 >encoded) addr-spec.

My question was apparently ambiguous. My concern is the WKD server. How 
does a WKD server know which domain it is serving for when the request 
HOST header is modified (e.g. by a reverse proxy) and so the domain-part 
cannot be determined from that.

Example scenario:
The WKD server is intended to provide keys for a.com, a.net, a.de, 
bass.de, baß.de, Äppelwoi.de etc. WKD is redirected from all those 
domains to some server at wkd.unrelated.com. At least from one of those 
domains redirection is done by a request-modifying reverse proxy, e.g. 
a.net requests reach the WKD with HOST reverse.nota.com.

The lookup hash for email addresses with local-part "joe" is the same 
for all domains (if I don't misunderstand something fundamental in the 
current draft) so there is always ambiguity. And non-ASCII local-parts 
will only match by pure chance because they are not normalized.


I don't think the need to use RFC 3490 ToASCII (or similar) can be 
avoided.


best regards,
JS


More information about the Gnupg-devel mailing list