Web Key Discovery

Sam Bull gnupg-devel at sambull.org
Fri Apr 6 16:55:39 CEST 2018 

On Fri, 2018-04-06 at 16:19 +0200, Peter Lebbing wrote:
> > And, if that is how it is implemented, surely that conflicts with
> > other systems. e.g. When I read an email in Evolution, it will
> > automatically fetch any attached key from the keyservers.
> It does? That's a metadata leak. Some people might not mind, others would.

So, Evolution just uses GnuPG directly, and I've added to the GnuPG config:

keyserver-options auto-key-retrieve

So, in actual fact, it is not Evolution performing this action itself, nor is it
the default behaviour.

> Anyway, the mere presence of a key in the keyring does not make it
> valid, like a WKD or DANE lookup might.

Right, but likewise, what if WKD decides a key is valid, but it has multiple
user IDs, then once again I could receive a "valid" key with a user ID that
doesn't belong to them and have the same issue.

The only way for this to work correctly, is if the email address the key has
been validated for is stored in addition to the key itself. At this point, there
is no advantage to the user ID matching the address, as you are individually
storing the addresses you have validated the key for.

> > There is already no requirement for a user ID to match the email
> > address it was sent from (which could be faked anyway without DMARC
> > validation). Therefore, if somebody sends me an email with a a
> > completely different user ID, and then Evolution were to start
> > behaving as you described, I could easily be sending encrypted emails
> > to the wrong keys.
> There should be some mechanism to establish validity. If Evolution
> assigns validity based on reception of an unsigned e-mail, you should
> probably file that as a security bug in Evolution. I don't use Evolution
> for e-mail, I don't know anything about what it does with OpenPGP keys.

I believe if you send a new message, it would never encrypt by default. The only
time it automatically encrypts (if you've enabled the settings) is when replying
to a message with a PGP signature. At that point you can be sure that you are
encrypting a reply to the person who sent you the message (regardless of the
email address).

I don't believe that it would automatically encrypt anything based on an email
address, and that is exactly why the WKD is here, to add that kind of feature.

I could be wrong on that though.

> > So, if you are expecting this system to only be used for discovery,
> > and then encryption is done by searching the user's keyring, you have
> > a whole bunch of other security issues caused by other discovery
> > systems already in use.
> You're missing one vital precondition: encryption is done by searching
> the user's keyring for a *valid* key.

Again, unless you have managed to validate every user ID, then it requires not
simply searching the keyring. But searching for a key that has been validated
against a specific address, in which case there is no reason to require the user
IDs to match, seeing as you've validated the key for an address regardless of
the user ID.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180406/88257525/attachment.sig>

More information about the Gnupg-devel mailing list