WKD for GitHub pages
kloecker at kde.org
Sat Jan 9 23:06:26 CET 2021
On Samstag, 9. Januar 2021 20:50:54 CET Stefan Claas via Gnupg-users wrote:
> On Sat, Jan 9, 2021 at 8:08 PM Stefan Claas
> <spam.trap.mailing.lists at gmail.com> wrote:
> > host sac001.github.io
> > sac001.github.io has address 184.108.40.206
> > sac001.github.io has address 220.127.116.11
> > sac001.github.io has address 18.104.22.168
> > sac001.github.io has address 22.214.171.124
> > works as well and why can sequoia-pgp handle this and not GnuPG,
> > or gpg4win? Couldn't they not fall back then as well to the direct method?
> Wrong wording, not fall back but try direct method if for advanced method
> a cert error occurs.
The spec explicitly says:
"Only if the required sub-domain does not exist, they SHOULD fall back to the
Do you really think it would be a good idea if an application like gpg would
simply ignore a certificate error and then try something else?
Missing or wrong checks of server certificates are among the most common
security problems in many apps because they open the door for MITM attacks.
Yes, I know you don't suggest that gpg retrieves the key via the subdomain if
the certificate check for the subdomain fails, but I still think it's wrong to
ignore a potential security problem and try something else, unless the user
told gpg explicitly to use the direct method only. (I haven't checked if
there's an option for this.)
Apparently, sequoia-pgp chose usability over following the spec to the letter.
I hope they considered possible security implications.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 195 bytes
Desc: This is a digitally signed message part.
More information about the Gnupg-users