Am Donnerstag 28 Oktober 2021 12:07:52 schrieb Andrew Gallagher via
Gnupg-users:
> On 28/10/2021 10:44, Bernhard Reiter wrote:
> > can you provide me a pointer to the gnupg-devel thread?
> > (Did a few minutes of searching, I probably missed something.)
>
> The megathread from hell starts here :-)
> https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064567.html
That is not gnupg-_devel_ (where I was searching). :)
I actually read most of the January thread on "WKD for GitHub pages".
Interesting to me is:
https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064584.html
Ingo explaning that it is considered a security drawback if a domain
for the advanced method is there but does not allow a connection
with a valid TLS certificate.
The understanding of the current draft therefore is
If the subdomain for the advanced method resolves via DNS,
the direct method MUST NOT be used.
Rationale: if the webspace of my email domain is not under my direct control,
I'll use the advanced method to indicate a different WKD server I'll trust
(and control sufficiently to do so) by creating the necessary DNS entry.
If a WKD client would ask this email domain webspace in the direct method,
there is an additional attack vector because I do not control the webserver.
On the other hand, if I trust my email domain webserver, the DNS provider can
create the advanced method DNS entry and attack me. However this DNS provider
could also just change the entry to my email domain webserver.
If so, maybe the phrasing can be improved for the next draft.
Regards,
Bernhard
--
www.intevation.de/~bernhard +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
Gnupg-users:
> On 28/10/2021 10:44, Bernhard Reiter wrote:
> > can you provide me a pointer to the gnupg-devel thread?
> > (Did a few minutes of searching, I probably missed something.)
>
> The megathread from hell starts here :-)
> https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064567.html
That is not gnupg-_devel_ (where I was searching). :)
I actually read most of the January thread on "WKD for GitHub pages".
Interesting to me is:
https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064584.html
Ingo explaning that it is considered a security drawback if a domain
for the advanced method is there but does not allow a connection
with a valid TLS certificate.
The understanding of the current draft therefore is
If the subdomain for the advanced method resolves via DNS,
the direct method MUST NOT be used.
Rationale: if the webspace of my email domain is not under my direct control,
I'll use the advanced method to indicate a different WKD server I'll trust
(and control sufficiently to do so) by creating the necessary DNS entry.
If a WKD client would ask this email domain webspace in the direct method,
there is an additional attack vector because I do not control the webserver.
On the other hand, if I trust my email domain webserver, the DNS provider can
create the advanced method DNS entry and attack me. However this DNS provider
could also just change the entry to my email domain webserver.
If so, maybe the phrasing can be improved for the next draft.
Regards,
Bernhard
--
www.intevation.de/~bernhard +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
Attached Files:
-
signature.asc (0.64 KB)