WKD proper behavior on fetch error

Neal H. Walfield neal at walfield.org
Mon Jan 18 15:50:15 CET 2021


On Mon, 18 Jan 2021 13:42:52 +0100,
André Colomb wrote:
> On 18/01/2021 10.14, Neal H. Walfield wrote:
> > In short: I understand the motivation for the subdomain.  I understand
> > why one should first check there.  But, I think we do our users a
> > disservice by not falling back to the direct method in the case of
> > DNS errors.
> 
> I suppose you mean other errors besides DNS?

Right, sorry!

> We need to remember that WKD is only a convenience mechanism for
> discovery, not any kind of authentication.  Sending encrypted e-mail to
> a domain which was also used to retrieve the encryption public key adds
> no protection against MITM, but only transport obscurity.  But that
> might still be better than no encryption at all, e.g. to set up an
> out-of-band key verification.

I agree.



More information about the Gnupg-users mailing list