Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
WKD - .onion redirects mapping
gnupg-users at gnupg
Jul 27, 2020, 12:01 PM
Post #1 of 3 (259 views)
Permalink
Folks,

Is there any facility in GnuPG, or any neat hacks which can be applied
to current releases, to be able to remap WKD queries to go to specified
.onion hosts?

Eg, <https://onion.debian.org/> lists:

openpgpkey.debian.org: http://habaivdfcyamjhkk.onion/

and indeed if I use `gpg --list-keys --with-wkd-hash debian.org` and
pick someone vaguely at random, I can run:

curl -fSs http://habaivdfcyamjhkk.onion/.well-known/openpgpkey/debian.org/hu/ycp4ih1jtsdky6d6ufee9h3txmmaqgag | gpg --import

and it works.

My understanding is that for .onion hostname services they already have
security equivalent to TLS providing privacy in their direct links onto
Tor, so if I trust my access to my Tor gateway, this gives enough
privacy.

So I'd be looking for something morally equivalent to having
`~/.gnupg/onion-wkd-mappings.txt` containing lines like, well, the
snippet I pasted above from the onion.debian.org page (with comments etc
allowed too, so I can record the provenance of mappings), or some moral
equivalent (directory with entries to be remapped, etc).

Or am I looking at just a thin shell wrapper to do the mappings needed
to invoke `curl | gpg` as above? I'm thinking that with dirmngr already
having some Tor support, it's a better place to automatically do so.

-Phil

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKD - .onion redirects mapping [ In reply to ]
gnupg-users at gnupg
Aug 4, 2020, 7:46 AM
Post #2 of 3 (256 views)
Permalink
On Mon, 27 Jul 2020 15:01, Phil Pennock said:

> My understanding is that for .onion hostname services they already have
> security equivalent to TLS providing privacy in their direct links onto

Yes, privacy. But that is just a welcome side-effect. What we need is
that the domain is authenticated so that we can consider the key to be
valid at a certain level. I see no way how you can do this via an
anonymizer because the two goals are in contradiction.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Attached Files:

Re: WKD - .onion redirects mapping [ In reply to ]
gnupg-users at gnupg
Aug 4, 2020, 11:06 AM
Post #3 of 3 (256 views)
Permalink
On 2020-08-04 at 16:46 +0200, Werner Koch via Gnupg-users wrote:
> Yes, privacy. But that is just a welcome side-effect. What we need is
> that the domain is authenticated so that we can consider the key to be
> valid at a certain level. I see no way how you can do this via an
> anonymizer because the two goals are in contradiction.

Isn't that what a static mapping file accomplishes? Not a good
longer-term solution, but buys the ability to explore the problem space.

Eg, there could be DNSSEC-signed records in DNS saying "this string is
equivalent for TOR". If DNS is routed over TOR then the object signing
gives you that assurance. You get privacy and assurance. DNSSEC means
you no longer need to care how you get the responses, provided that
there's a DS trust chain down to the result you want.

So spitballing wildly, `_tor_https.example.org` as a set of TXT records
could provide one domain each which are equivalent.

-Phil

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal