Web Key Discovery

[Peter Lebbing]

On 06/04/18 15:48, Sam Bull wrote:
> In fact, I thought I read somewhere that there was a requirement for
> the email client using this system to not change the user's keyring.

The gpg command-line client itself can use this lookup method. GnuPG
only uses the keyring. Hence, the keyring is changed. I'd personally
prefer my e-mail client to have the same view of my keyring as my other
clients. I just read both the WKD wiki and the draft RFC this morning,
though in the latter I quickly skimmed through submission since I wasn't
interested in that before answering your mail. I did not see such a
requirement.

Finally, it's rather cumbersome to use keys not on the keyring, I
haven't personally experienced any clients that ever try to do this.

I think you are mistaken, but I'm not sure.

> And, if that is how it is implemented, surely that conflicts with
> other systems. e.g. When I read an email in Evolution, it will
> automatically fetch any attached key from the keyservers.

It does? That's a metadata leak. Some people might not mind, others would.

Does it do this to refresh the attached key?

Anyway, the mere presence of a key in the keyring does not make it
valid, like a WKD or DANE lookup might. I haven't looked at the
mechanism for validity through WKD and DANE; I just use TOFU and WoT
myself to establish validity. I will experiment with the others once I
get round to it. I think a WKD or DANE lookup combined with an
encryption action together establish First Use in the TOFU trust model,
but I'm not sure.

> There is already no requirement for a user ID to match the email
> address it was sent from (which could be faked anyway without DMARC
> validation). Therefore, if somebody sends me an email with a a
> completely different user ID, and then Evolution were to start
> behaving as you described, I could easily be sending encrypted emails
> to the wrong keys.

There should be some mechanism to establish validity. If Evolution
assigns validity based on reception of an unsigned e-mail, you should
probably file that as a security bug in Evolution. I don't use Evolution
for e-mail, I don't know anything about what it does with OpenPGP keys.

TOFU will tentatively assign validity to the key when it sees a
signature (and the UID matches), and will complain loudly once it sees a
different uid<->key binding at some later time. That's the whole point
of TOFU: Trust On First Use. This is First Use. (I'm no fan of the word
"Trust" in this monicker, it should be "validity" in OpenPGP terms)

> So, if you are expecting this system to only be used for discovery,
> and then encryption is done by searching the user's keyring, you have
> a whole bunch of other security issues caused by other discovery
> systems already in use.

You're missing one vital precondition: encryption is done by searching
the user's keyring for a *valid* key.

If WKD (or TOFU) does not meet your demands with regard to threat
models, you should use a more strict validity mechanism.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180406/76245829/attachment.sig>