WKD, wildcard DNS resolution (Re: Error when trying to locate key via WKD)

Bernhard Reiter bernhard at intevation.de
Thu Oct 28 13:25:05 CEST 2021

Am Donnerstag 28 Oktober 2021 12:07:52 schrieb Andrew Gallagher via 
> On 28/10/2021 10:44, Bernhard Reiter wrote:

> > can you provide me a pointer to the gnupg-devel thread?
> > (Did a few minutes of searching, I probably missed something.)
> The megathread from hell starts here :-)
> https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064567.html

That is not gnupg-_devel_ (where I was searching). :)
I actually read most of the January thread on "WKD for GitHub pages".

Interesting to me is:
Ingo explaning that it is considered a security drawback if a domain
for the advanced method is there but does not allow a connection
with a valid TLS certificate.

The understanding of the current draft therefore is
  If the subdomain for the advanced method resolves via DNS,
  the direct method MUST NOT be used. 

Rationale: if the webspace of my email domain is not under my direct control, 
I'll use the advanced method to indicate a different WKD server I'll trust
(and control sufficiently to do so) by creating the necessary DNS entry.
If a WKD client would ask this email domain webspace in the direct method, 
there is an additional attack vector because I do not control the webserver.

On the other hand, if I trust my email domain webserver, the DNS provider can 
create the advanced method DNS entry and attack me. However this DNS provider
could also just change the entry to my email domain webserver.

If so, maybe the phrasing can be improved for the next draft.


www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211028/5cad014b/attachment-0001.sig>

More information about the Gnupg-users mailing list