Web Key Discovery

Sam Bull gnupg-devel at sambull.org
Fri Apr 6 15:48:25 CEST 2018

On Fri, 2018-04-06 at 11:12 +0200, Peter Lebbing wrote:
> I think WKD is used for key discovery and validity (to a certain
> extent), but not key binding: it doesn't instruct your client to use a
> certain key for a certain e-mail address.

> If it subsequently tries to encrypt to
> alias at example.org, it comes to the odd conclusion that it doesn't have a
> key for alias at example.org even though it literally just requested one
> and got an answer. I suspect that it simply would not produce a
> meaningful result.

I hadn't thought of it that way. I was under the impression that the email
client would do a WKD lookup to find a key, and then use that.

In fact, I thought I read somewhere that there was a requirement for the email
client using this system to not change the user's keyring.

And, if that is how it is implemented, surely that conflicts with other systems.
e.g. When I read an email in Evolution, it will automatically fetch any attached
key from the keyservers.
There is already no requirement for a user ID to match the email address it was
sent from (which could be faked anyway without DMARC validation). Therefore, if
somebody sends me an email with a a completely different user ID, and then
Evolution were to start behaving as you described, I could easily be sending
encrypted emails to the wrong keys.

So, if you are expecting this system to only be used for discovery, and then
encryption is done by searching the user's keyring, you have a whole bunch of
other security issues caused by other discovery systems already in use.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180406/7dcb7ee7/attachment.sig>

More information about the Gnupg-devel mailing list