Mailing List Archive

Order of lookup methods in --auto-key-retrieve
Hello,

One of the lesser known things is that gpg can utilize Web Key Directory
lookup when verifying signatures made to unknown keys:

$ curl -sSL https://metacode.biz/.well-known/security.txt | gpg
--auto-key-retrieve --verify
gpg: Signature made Sun Jun 24 18:24:28 2018 UTC
gpg: using RSA key 59A29DEA8D37388C656863DFB97A1EE09DB417EC
gpg: issuer "wiktor@metacode.biz"
gpg: requesting key B97A1EE09DB417EC from hkp server 127.0.0.1
gpg: key 6C8857E0D8E8F074: public key "..." imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: Good signature ...

The code checks first the keyserver and then the WKD domain. I guess
this is to limit the number of IP-leaking queries and prefer trusted
keyserver.

I'm wondering if reversing the order (first WKD, then keyserver)
wouldn't be a better option. The current mechanism is not perfect, so
that the IP-leaking could still be triggered by attacker by using a
brand new key (that is not published on keyservers).

On the other hand trying WKD first would allow the key holder to return
a good key even if the key was spammed on keyservers to the point of not
being usable.

I did think about this scenario after reading SKS Keyserver Network
Attack: Consequences [0] post:

> What's important is my instructions told them to check the digital signature. And today, if they do this it is overwhelmingly likely they'll get a poisoned certificate from the keyserver network and their GnuPG installation will break horribly.

GnuPG first trying WKD when verifying signatures would prevent this
specific issue.

Kind regards,
Wiktor

[0]: https://gist.github.com/rjhansen/f716c3ff4a7068b50f2d8896e54e4b7e

--
https://metacode.biz/@wiktor

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: Order of lookup methods in --auto-key-retrieve [ In reply to ]
Hi,

On Sunday 30 June 2019 21:36:56 CEST Wiktor Kwapisiewicz via Gnupg-devel
wrote:
> The code checks first the keyserver and then the WKD domain. I guess
> this is to limit the number of IP-leaking queries and prefer trusted
> keyserver.

I do not think that this is really the reason. As we have the fingerprint when
we verify a signature it is more accurate to look for a key with that
fingerprint on the keyserver instead of only matching the sender address with
WKD.

> I'm wondering if reversing the order (first WKD, then keyserver)
> wouldn't be a better option. The current mechanism is not perfect, so
> that the IP-leaking could still be triggered by attacker by using a
> brand new key (that is not published on keyservers).

I am fully with you. I've complained about this in the past, but It is not so
important to me anymore because in GpgOL I no longer use "auto-key-retrieve"
until I can show the unverified mail while the key is fetched.

For me it is even more important because GpgOL assigns keys that were fetched
through WKD some additional trust (Level 2) by using the key origin, because
the mail domain owner asserted this key. So if you have a key both on the
keyservers and WKD you will get a different trust level if you receive the key
by verifying a mail or if you receive the key by a "locate-key" when entering
the sender address.


I thought we had an issue for that already but I did not find it. So i've
cerated a new one. https://dev.gnupg.org/T4595


Best Regards,
Andre

--
GnuPG.com - a brand of g10 Code, the GnuPG experts.

g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459
GF Werner Koch, USt-Id DE215605608, www.g10code.com.

GnuPG e.V., Rochusstr. 44, D-40479 D?sseldorf. VR 11482 D?sseldorf
Vorstand: W.Koch, M.Gollowitzer, A.Heinecke. Mail: board@gnupg.org
Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-2104-4938799
Re: Order of lookup methods in --auto-key-retrieve [ In reply to ]
On Sun, 30 Jun 2019 21:36, gnupg-devel@gnupg.org said:

> The code checks first the keyserver and then the WKD domain. I guess
> this is to limit the number of IP-leaking queries and prefer trusted
> keyserver.

Right that was one idea. The other reason is that it is not possible to
lookup a key from the WKD using a fingerprint. Before rfc-4880bis added
the /Issuer Fingerprint/ to signatures we only had the /Issuer's User
ID/ information in a signature to lookup a key. With 2.1.13 we added
the latter to all signatures if possible so to make --auto-key-retrieve
working.

I guess we should keep this information to prefer updating via WKD.

> I'm wondering if reversing the order (first WKD, then keyserver)
> wouldn't be a better option. The current mechanism is not perfect, so

Agreed.


Salam-Shalom,

Werner


--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: Order of lookup methods in --auto-key-retrieve [ In reply to ]
On 01.07.2019 09:14, Andre Heinecke wrote:
> I thought we had an issue for that already but I did not find it. So i've
> cerated a new one. https://dev.gnupg.org/T4595

Thank you Andre, also for adding me to subscribers. I'll follow it.

On 01.07.2019 19:29, Werner Koch wrote:
> Before rfc-4880bis added
> the /Issuer Fingerprint/ to signatures we only had the /Issuer's User
> ID/ information in a signature to lookup a key.

Understood.

For further context for people following this on the mailing list the
Issuer User ID packet can be added to the signature by using
`default-key e-mail@example.com` instead of hex fingerprint in gpg.conf
(or using the respective command line options). (Some other apps such as
OpenKeychain also insert this packet).

Thank you both!

Kind regards,
Wiktor

--
https://metacode.biz/@wiktor