WKD & Sequoia

Stefan Claas spam.trap.mailing.lists at gmail.com
Wed Jan 13 17:07:44 CET 2021

On Wed, Jan 13, 2021 at 10:22 AM André Colomb <andre at colomb.de> wrote:

> So the core problem, as with Stefan's case, is the lack of control over
> the domain's DNS settings.  Which the WKD mechanism relies upon to
> delegate trust to the domain operators.

Hi Andre, I wouldn't formulate it this way. I already mentioned that I am able
to set up for my 300baud.de domain a couple of droplets and use as suggested
a valid wildcard subdomain cert, like I explained with the bund.de example and
I am pretty sure that GnuPG and gpg4win will then fail, same as with GitHub.

Regarding Neal's attack example, I also posted here an idea to make it for
Mallory harder, to exchange (a) key(s) from a host, serving a WKD directory,
which also does not break the specs, by simply adding to the policy file
the fingerpint(s) and putting verifiable .ots file(s), in for example,
the hu folder.

Best regards

More information about the Gnupg-users mailing list