WKD for GitHub pages

Stefan Claas spam.trap.mailing.lists at gmail.com
Sat Jan 9 23:40:32 CET 2021 

On Sat, Jan 9, 2021 at 11:09 PM Ingo Klöcker <kloecker at kde.org> wrote:
>
> On Samstag, 9. Januar 2021 20:50:54 CET Stefan Claas via Gnupg-users wrote:
> > On Sat, Jan 9, 2021 at 8:08 PM Stefan Claas
> > <spam.trap.mailing.lists at gmail.com> wrote:
> > > host sac001.github.io
> > > sac001.github.io has address 185.199.111.153
> > > sac001.github.io has address 185.199.109.153
> > > sac001.github.io has address 185.199.110.153
> > > sac001.github.io has address 185.199.108.153
> > >
> > > works as well and why can sequoia-pgp handle this and not GnuPG,
> > > or gpg4win? Couldn't they not fall back then as well to the direct method?
> >
> > Wrong wording, not fall back but try direct method if for advanced method
> > a cert error occurs.
>
> The spec explicitly says:
> "Only if the required sub-domain does not exist, they SHOULD fall back to the
> direct method."
>
> Do you really think it would be a good idea if an application like gpg would
> simply ignore a certificate error and then try something else?
>
> Missing or wrong checks of server certificates are among the most common
> security problems in many apps because they open the door for MITM attacks.
> Yes, I know you don't suggest that gpg retrieves the key via the subdomain if
> the certificate check for the subdomain fails, but I still think it's wrong to
> ignore a potential security problem and try something else, unless the user
> told gpg explicitly to use the direct method only. (I haven't checked if
> there's an option for this.)
>
> Apparently, sequoia-pgp chose usability over following the spec to the letter.
> I hope they considered possible security implications.

Well, I wish Werner would chime in, because what I really don't understand
why do we have two options, instead of one and why is the advanced method
the first one to be checked, if we have as first one the direct method, which
would tell me, as laymen, that a software would start first with the 'easier'
method.

Fact for me is, I do have a site, which users shows a valid SSL cert
and sequoia-pgp
honors this, while GnuPG and gpg4win do not honor this and give a cert error for
IMHO a second option GnuPG and gpg4win offers.

If for example WKD would be designed to only offer one option (advanced) well
then I could understand this issue better and even then Werner could think of
a GitHub subdomain solution.

And if Werner would allow an option in GnuPG that users can set a flag to do
this on their own 'risk' then this would be also IMHO a good option.

Would be cool if GitHub staff would see this thread and discuss this
with Werner.

Regards
Stefan

More information about the Gnupg-users mailing list