ctf-like WKD challenge (was: WKD proper behavior on fetch error)

Ángel angel at pgp.16bits.net
Thu Jan 21 00:23:52 CET 2021

On 2021-01-20 at 08:08 +0100, Stefan Claas via Gnupg-users wrote:
> On Wed, Jan 20, 2021 at 12:41 AM Ángel <angel at pgp.16bits.net> wrote:
> > A list of all (well, most) openpgpkey subdomains can be easily
> > created.
> Yes and I believe that what Neal and you (in your new posting) have
> explained makes it only worthwhile  for Mallory to start his work,
> because he has such an openpgpkey list created.

No, no, no. The idea of my previous mail, was *precisely* that there is
no point for Mallory to do that.

Counting wkd servers can be interesting for statistics, measuring
adoption, etc. but that would be of no use for an attacker.

Ok, let's frame it a bit different. I will give a game for you.

Last night, I prepared the domain wkdtest.pgp.16bits.net It is a valid
wkd server. I have just created and uploaded there a new pgp key, and
you have to obtain it:

«We have intercepted the following communication sent to an spy using
an undisclosed openpgp implementation. Based on the detected network
traffic, we are sure the key itself was downloaded using wkd, and the
domain of the userid to be ‘wkdtest.pgp.16bits.net’

Your mission, should you choose to accept it, is to find out the name
of the spy to which this communication was addressed:


-----END PGP MESSAGE-----»

Can you figure this out?

More information about the Gnupg-users mailing list