WKD proper behavior on fetch error

Stefan Claas stefan at ctemplar.com
Mon Jan 18 00:43:11 CET 2021


@Stefan, are you aware that in your scheme involving sac001.github.io,whoever convinces GitHub to give them control over that subdomain, cansilently replace those public keys and start a man-in-the-middle attack?You could not even rely on the TLS layer, because GitHub probably willnot revoke their wildcard certificate just for you. Hijacking a GitHubPages user name seems more likely than taking over a well secured domainhosting account.I encountered only one MITM attack a couple of years ago so far, from anSKS user. He was a retired police officer from Austria, who contacted me.But what you say I was thinking about as well. My proposal was to includein the policy file fingerprint(s) of key(s) and generate an .ots file, fromopentimestamps.org, from the policy file and put that .ots file somewhere.In the old days it was common, prior starting encrypted comms to comparefingerprints over other channels.And regarding secure domains, would you consider VPS servers securetoo for WKD?I must say good night now.BTW. I did not received yet your reply for my two other accounts, hence thelate reply.Best regardsStefan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210117/3b0919d2/attachment-0001.html>


More information about the Gnupg-users mailing list