Web Key Directory - HTTP Redirect?

Wiktor Kwapisiewicz wiktor at metacode.biz
Mon Dec 17 21:09:34 CET 2018


On 16.12.2018 11:40, Patrick Brunschwig wrote:
> When a client does Key Discovery using the Web Key Directory, should it
> follow HTTP Redirects (HTTP Status 302) or is that not foreseen?

Hi Patrick, I've asked that question some time ago [0] and the answer was
"redirects should be followed".

[0]: https://lists.gt.net/gnupg/devel/83924#83924

There are some restrictions implemented recently for the Location header:
https://dev.gnupg.org/rGfa1b1eaa4241ff3f0634c8bdf8591cbc7c464144

This page gives more details:
https://www.sektioneins.de/en/advisories/advisory-012018-gnupg-wkd.html

(as a side note it's interesting because this "CRSF" in GnuPG would not send any
cookies and the attack described in the advisory shows rather an issue with the
receiving app, not GnuPG... but that's a side note...)

Kind regards,
Wiktor

-- 
https://metacode.biz/@wiktor



More information about the Gnupg-devel mailing list