WKD proper behavior on fetch error

Stefan Claas spam.trap.mailing.lists at gmail.com
Tue Jan 19 19:29:03 CET 2021


On Tue, Jan 19, 2021 at 7:06 PM Stefan Claas
<spam.trap.mailing.lists at gmail.com> wrote:
>
> On Tue, Jan 19, 2021 at 1:14 PM Werner Koch via Gnupg-users
> <gnupg-users at gnupg.org> wrote:
> >
> > On Tue, 19 Jan 2021 09:28, Neal H. Walfield said:
> >
> > > When you look up the openpgpkey.example.org domain, you are revealing
> > > to anyone snooping DNS traffic that you are using OpenPGP and are
> > > looking for a key related to example.org.  That's a privacy issue.
> >
> > No, it isn't.  The next thing you do is to send the mail and get a
> > reply.  Get real.
>
> I share the same sentiments as Neal, why?
>
> I am aware that the whole WWW can be scraped or searched in about
> a couple of minutes and let's say in my GitHub case I could imagine
> that for an explicit openpgpkey subdomain it could be possible to
> get all WKD directories, with an openpgpkey subdomain part, in
> case GitHub would do this (which they will hopefully not do.)
>
> And at least we have the direct-method for usage without an
> openpgpkey sub or sub-sub domain part. So why give WKD
> enthusiast not this option and out of curiousity please try to
> explain to us why the current draft say MUST and not MAY
> or SHOULD? I like to learn, because WKD is freaking cool
> with OpenPGP apps, like sequoia-pgp or Mailvelope etc.

Example: Mallory sitting in the United States likes to prepare
a list (without my consent) and published on a U.S. site,
so that like SKS key server dumps the whole world can
obtain a list of all openpgpkey subdomains. So far so good.

Mr 'edge case' Stefan knows this and counterstrikes with
his domain radio-eriwan.su (which I own) and set's up for
Mr Mallory a WKD direct-method dir with n dummy keys.

Good luck Mr Mallory figuring out which domains have real
OpenPGP users keys hosted and which not.

Best regards
Stefan



More information about the Gnupg-users mailing list