WKD proper behavior on fetch error
Neal H. Walfield
neal at walfield.org
Mon Jan 18 15:50:15 CET 2021
On Mon, 18 Jan 2021 13:42:52 +0100,
André Colomb wrote:
> On 18/01/2021 10.14, Neal H. Walfield wrote:
> > In short: I understand the motivation for the subdomain. I understand
> > why one should first check there. But, I think we do our users a
> > disservice by not falling back to the direct method in the case of
> > DNS errors.
> I suppose you mean other errors besides DNS?
> We need to remember that WKD is only a convenience mechanism for
> discovery, not any kind of authentication. Sending encrypted e-mail to
> a domain which was also used to retrieve the encryption public key adds
> no protection against MITM, but only transport obscurity. But that
> might still be better than no encryption at all, e.g. to set up an
> out-of-band key verification.
More information about the Gnupg-users