WKD spec, draft 05

Werner Koch wk at gnupg.org
Tue Jan 9 09:53:03 CET 2018


On Mon,  8 Jan 2018 08:48, bernhard at intevation.de said:

> The problem ist not the pubkeys, but it can be used to detect all existing
> email addresses of an email domain (that have pubkeys). An advantage 

You can do that with and without an index file.  It might be easier with
an index file because you can get the list of local-part hashes all at
once.  But in any case you need to compile a list of local-parts to test
whether the has exists.  However, spammers have more resources than
everyone else and thus it does not really matter whether they do lots of
https queries or simply sending test mails.

>> A SHOULD NOT would be okay, though. 
>
> Adding a "SHOULD NOT" and a mention in the security considerations is an 
> improvement, thanks for adding it!

Thanks for suggesting this.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180109/93badbbf/attachment.sig>


More information about the Gnupg-devel mailing list