Am Donnerstag 28 Oktober 2021 12:07:52 schrieb Andrew Gallagher via Gnupg-users: > On 28/10/2021 10:44, Bernhard Reiter wrote:
> > can you provide me a pointer to the gnupg-devel thread? > > (Did a few minutes of searching, I probably missed something.) > > The megathread from hell starts here :-) > https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064567.html That is not gnupg-_devel_ (where I was searching). :) I actually read most of the January thread on "WKD for GitHub pages". Interesting to me is: https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064584.html Ingo explaning that it is considered a security drawback if a domain for the advanced method is there but does not allow a connection with a valid TLS certificate. The understanding of the current draft therefore is If the subdomain for the advanced method resolves via DNS, the direct method MUST NOT be used. Rationale: if the webspace of my email domain is not under my direct control, I'll use the advanced method to indicate a different WKD server I'll trust (and control sufficiently to do so) by creating the necessary DNS entry. If a WKD client would ask this email domain webspace in the direct method, there is an additional attack vector because I do not control the webserver. On the other hand, if I trust my email domain webserver, the DNS provider can create the advanced method DNS entry and attack me. However this DNS provider could also just change the entry to my email domain webserver. If so, maybe the phrasing can be improved for the next draft. Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users