WKD v05: DNS problem when requesting pubkey

Bernhard Reiter bernhard at intevation.de
Thu Apr 5 12:02:52 CEST 2018

Dear GnuPG-people,

just a brief note that yesterday I've discovered that the current v05 spec of 
WKD has an implementation problem:

When requesting a pubkey a client MUST do a DNS query to an SRV record 
The reason this was added by Wener is that some email providers do not have 
access to the webserver on the domain they are serving emails for.

However according to my research, code running inside  a webbrowser - either 
from a webpage or as extension - **cannot do a DNS request** on its own. 
Webbrowser upstreams have so far declined to implement RFC 2782 for HTTP and 
probably won't ever implement it. There is also no API to do such a DNS 
request or a way to do UDP or TCP to implement it in javascript within the 

Usually if a webclient software needs a request like this, they'd work around 
this limitation by either using a service on a server. They could implement a 
native code extension via Native Messaging. Both ways do not work well for a 
webclient that wants to do a WKD request because using a service degrades the 
security of the request as it gets to be attacked by the service provider.
A native messaging solution is less usable because it would need support on 
the operating system level to render the extension workable, which 
complicates the installation a lot.

Pondering other solutions: from Thomas Oberndörfer I've got the idea that we 
could use the mandatory policy file to allow a "redirect". This may be easier 
than doing a real redirect on the webserver or an internal proxying from the 
webserver to the email providers WKD webserver.

I appreciate comments!
Does someone see another possibility to implement
a DNS SRV request in the browser?
Any other ideas how to solve the problem?

Best Regards,

links the current WKD spec and mentions other details.

www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180405/180bc3cd/attachment.sig>

More information about the Gnupg-devel mailing list