Web Key Discovery

[Peter Lebbing]

In addition to the security concerns of allowing a WKD key lookup to
introduce keys with User ID's not matching said lookup:

I think WKD is used for key discovery and validity (to a certain
extent), but not key binding: it doesn't instruct your client to use a
certain key for a certain e-mail address.

On 03/04/18 13:02, Sam Bull wrote:
> Also note in the DANE RFC, it only says:
> 
>     One User ID Y, which SHOULD match     'hugh at example.com'
> 
> i.e. If the user ID doesn't match, it won't cause a validation error (it's a recommendation, rather than a requirement).

Have you actually tried this and does it produce a meaningful result?
Even though it might be spec conformant, it might not be meaningful. I
don't know what GnuPG does in this case. Suppose GnuPG doesn't filter
this out immediately and adds the key for name at example.org to its
keyring and assigns it some validity, even though it requested the key
for alias at example.org. If it subsequently tries to encrypt to
alias at example.org, it comes to the odd conclusion that it doesn't have a
key for alias at example.org even though it literally just requested one
and got an answer. I suspect that it simply would not produce a
meaningful result.

Also note that even though you say "it won't cause a validation error",
I don't expect the spec forbids implementations to disregard the result
to their own discretion. GnuPG might simply ignore the result anyway and
be fully conformant.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180406/a55f086b/attachment.sig>