WKD proper behavior on fetch error

[Daniel Kahn Gillmor]

On Tue 2021-01-19 13:08:19 +0100, Werner Koch via Gnupg-users wrote:
> On Tue, 19 Jan 2021 09:28, Neal H. Walfield said:
>
>> When you look up the openpgpkey.example.org domain, you are revealing
>> to anyone snooping DNS traffic that you are using OpenPGP and are
>> looking for a key related to example.org.  That's a privacy issue.
>
> No, it isn't.  The next thing you do is to send the mail and get a
> reply.

I think it's fair to say that this is in fact a privacy issue, stemming
from the fact that the act of sending an e-mail to a given recipient
these days is largely invisible to the network monitor -- the user agent
typically speaks on the network only to user's mail submission agent
(and that only through an encrypted connection). any party monitoring
the user agent only sees the rough size of the message as it passes to
the MSA.

Given that situation, there are at least four different forms of privacy
leak (in descending order of importance) from using WKD:

 - the DNS lookup Neal describes above typically happens in the clear,
   and is visible to anyone watching your DNS traffic.  (even with
   encrypted DNS transport like DoT or DoH, your trusted resolver sees
   it).  Those same parties won't get to know that you're sending mail
   to someone in that domain otherwise.

 - When your client does the TLS handshake with openpgpkey.example.org
   for the HTTPS lookup, that leaks the domain name in the SNI field.
   This means that anyone observing your network traffic (even if you
   were using encrypted DNS transport) *also* learns that you're sending
   mail to someone in that domain.  They would not know this
   otherwise. (this can be fixed with TLS Encrypted Client Hello, but
   that extension is still under development, must be supported by both
   HTTPS client and server, and far from widespread)

 - For many domains, the webserver operator is not the same party as the
   party that operates the e-mail infrastructure.  Thus, when a WKD
   lookup is made, the webserver operator learns information that they
   would not have access to without running the mailservers for the
   domain.  Note that the webserver operator also knows *exactly* which
   address the user has looked up, not just the domain -- while the
   local part is hashed, that hash can be reversed for low-entropy local
   parts; and in the current WKD spec the client actually reverses it
   directly with the l= query parameter.

 - Finally, even if the webserver operator has access to the same
   information as the mailserver, the recipient's key is often looked up
   via WKD *before* the message is sent, so it's possible that the user
   might not send the mail, or might only send the mail much later, or
   from a different network.  This is a temporal privacy leak, similar
   in form to the "foo is typing…"  notifications displayed by some
   instant messengers.

Now, comparing any of these privacy leaks to the risks of sending e-mail
in the clear is another story -- people might well be willing to accept
the risks, or to be comfortable with them being mitigated by some of the
measures i've outlined above.

One could imagine a repressive regime on a crusade against leakers,
asking their local ISPs to inform them whenever someone prepares to send
an OpenPGP-encrypted e-mail to any e-mail address in the
@dissenting-newsroom.example domain, regardless of whether the message
is actually sent.  Widespread use of WKD would facilitate this kind of
risk to press freedom, even if the would-be leakers (and the newsroom)
were careful to use mailservers outside of the national jurisdiction.

WKD offers a huge boost in the usability of OpenPGP for e-mail, but we
shouldn't claim that it doesn't introduce any new privacy concerns.

        --dkg