WKD for GitHub pages

Ingo Klöcker kloecker at kde.org
Sat Jan 9 23:06:26 CET 2021


On Samstag, 9. Januar 2021 20:50:54 CET Stefan Claas via Gnupg-users wrote:
> On Sat, Jan 9, 2021 at 8:08 PM Stefan Claas
> <spam.trap.mailing.lists at gmail.com> wrote:
> > host sac001.github.io
> > sac001.github.io has address 185.199.111.153
> > sac001.github.io has address 185.199.109.153
> > sac001.github.io has address 185.199.110.153
> > sac001.github.io has address 185.199.108.153
> > 
> > works as well and why can sequoia-pgp handle this and not GnuPG,
> > or gpg4win? Couldn't they not fall back then as well to the direct method?
> 
> Wrong wording, not fall back but try direct method if for advanced method
> a cert error occurs.

The spec explicitly says:
"Only if the required sub-domain does not exist, they SHOULD fall back to the 
direct method."

Do you really think it would be a good idea if an application like gpg would 
simply ignore a certificate error and then try something else?

Missing or wrong checks of server certificates are among the most common 
security problems in many apps because they open the door for MITM attacks. 
Yes, I know you don't suggest that gpg retrieves the key via the subdomain if 
the certificate check for the subdomain fails, but I still think it's wrong to 
ignore a potential security problem and try something else, unless the user 
told gpg explicitly to use the direct method only. (I haven't checked if 
there's an option for this.)

Apparently, sequoia-pgp chose usability over following the spec to the letter. 
I hope they considered possible security implications.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210109/582add53/attachment.sig>


More information about the Gnupg-users mailing list