WKD vs VV and VVV

Bernhard Reiter bernhard at intevation.de
Wed Apr 25 13:36:46 CEST 2018

Am Mittwoch 25 April 2018 13:17:16 schrieb Vincent Breitmoser:
> > as WKD is not "walkable"
> E-Mail addresses are fairly walkable. If you consider a namespace like
> gmail, you'd likely be able to find a lot of valid addresses (and their
> keys) with a simple dictionary attack that combines names and numbers in
> the typical ways they are used in email addresses. 

I agree, of course. You can try the email provider's SMTP by use of a 
distributed bot-net for each address and you'd certainly find all of them 
with overseeable effort.

In more detail, my point is that WKD is not by concept "walkable" like a phone 
book or and it is not brute-forceable like a list of hashes on disk.
There are tactics defending against trying all email addresses via wkd, e.g. 
you could deliver fake pubkeys for each email-address, block pattern requests 
from certain network AS or just delay online requests. In the end this is 
nothing a well-funded and equipped attacker couldn't overcome, but still it 
raises the costs a little bit which I believe is important to many. 
(Otherwise it wouldn't be listed in a number of security goals declarations.)


www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180425/ff1bf4b2/attachment.sig>

More information about the Gnupg-devel mailing list