WKD: User ID filtering

Werner Koch wk at gnupg.org
Thu Jun 21 09:39:34 CEST 2018


On Wed, 20 Jun 2018 22:06, gnupg-devel at gnupg.org said:

> Is this by design?

Yes, this by design of the protocol.  The protocol asserts via TLS that
a user id is managed by a certain domain (i.e. mail provider).  client
connects to the domain of a user id and looks up the key.  That key is
then stored in the local public keyring along with a flag that the user
id has been retrieved via WKD.

> Should this behavior be documented/recommended in the I-D?

I though this was obvious.  I will add this to the security
considerations:

| The mail provider MUST make sure to filter a key in a way that only
| the User ID belonging to that user is returned and that confirmation
| requests are only send for such User IDs.  It is further recommended
| that a client filters the key for a publication requests so that only
| a key with the specific User ID of the provider is send.


Shalom-Salam,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180621/8070e6d0/attachment.sig>


More information about the Gnupg-devel mailing list