WKD spec, draft 05

Bernhard Reiter bernhard at intevation.de
Tue Jan 9 10:10:18 CET 2018



Am Dienstag 09 Januar 2018 09:53:03 schrieb Werner Koch:
> On Mon,  8 Jan 2018 08:48, bernhard at intevation.de said:
> > The problem ist not the pubkeys, but it can be used to detect all
> > existing email addresses of an email domain (that have pubkeys). 

> You can do that with and without an index file.  It might be easier with
> an index file because you can get the list of local-part hashes all at
> once. 

If you agree that it is harder without index file, than we are on the same 
page, as security economics is always about making some "attacks" a bit 
harder.

> But in any case you need to compile a list of local-parts to test 
> whether the has exists.  However, spammers have more resources than
> everyone else and thus it does not really matter whether they do lots of
> https queries or simply sending test mails.

I guess some standards counter measures could be used to make it less feasable 
to walk all email address hashes if there are no index files. Server 
providers e.g could tarpit or auto-blacklist requestors based on requests to 
honey email addresses. So far I believe it does matter (at least a little 
bit).

Best Regards,
Bernhard

-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180109/0e198e77/attachment.sig>


More information about the Gnupg-devel mailing list