Web Key Directory - HTTP Redirect?

Wiktor Kwapisiewicz wiktor at metacode.biz
Mon Dec 17 21:09:34 CET 2018

On 16.12.2018 11:40, Patrick Brunschwig wrote:
> When a client does Key Discovery using the Web Key Directory, should it
> follow HTTP Redirects (HTTP Status 302) or is that not foreseen?

Hi Patrick, I've asked that question some time ago [0] and the answer was
"redirects should be followed".

[0]: https://lists.gt.net/gnupg/devel/83924#83924

There are some restrictions implemented recently for the Location header:

This page gives more details:

(as a side note it's interesting because this "CRSF" in GnuPG would not send any
cookies and the attack described in the advisory shows rather an issue with the
receiving app, not GnuPG... but that's a side note...)

Kind regards,


More information about the Gnupg-devel mailing list