WKD v05: DNS problem when requesting pubkey
bernhard at intevation.de
Thu Apr 5 12:02:52 CEST 2018
just a brief note that yesterday I've discovered that the current v05 spec of
WKD has an implementation problem:
When requesting a pubkey a client MUST do a DNS query to an SRV record
The reason this was added by Wener is that some email providers do not have
access to the webserver on the domain they are serving emails for.
However according to my research, code running inside a webbrowser - either
from a webpage or as extension - **cannot do a DNS request** on its own.
Webbrowser upstreams have so far declined to implement RFC 2782 for HTTP and
probably won't ever implement it. There is also no API to do such a DNS
Usually if a webclient software needs a request like this, they'd work around
this limitation by either using a service on a server. They could implement a
native code extension via Native Messaging. Both ways do not work well for a
webclient that wants to do a WKD request because using a service degrades the
security of the request as it gets to be attacked by the service provider.
A native messaging solution is less usable because it would need support on
the operating system level to render the extension workable, which
complicates the installation a lot.
Pondering other solutions: from Thomas Oberndörfer I've got the idea that we
could use the mandatory policy file to allow a "redirect". This may be easier
than doing a real redirect on the webserver or an internal proxying from the
webserver to the email providers WKD webserver.
I appreciate comments!
Does someone see another possibility to implement
a DNS SRV request in the browser?
Any other ideas how to solve the problem?
links the current WKD spec and mentions other details.
www.intevation.de/~bernhard +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: This is a digitally signed message part.
More information about the Gnupg-devel