WKD: User ID filtering
Werner Koch
wk at gnupg.org
Thu Jun 21 09:39:34 CEST 2018
On Wed, 20 Jun 2018 22:06, gnupg-devel at gnupg.org said:
> Is this by design?
Yes, this by design of the protocol. The protocol asserts via TLS that
a user id is managed by a certain domain (i.e. mail provider). client
connects to the domain of a user id and looks up the key. That key is
then stored in the local public keyring along with a flag that the user
id has been retrieved via WKD.
> Should this behavior be documented/recommended in the I-D?
I though this was obvious. I will add this to the security
considerations:
| The mail provider MUST make sure to filter a key in a way that only
| the User ID belonging to that user is returned and that confirmation
| requests are only send for such User IDs. It is further recommended
| that a client filters the key for a publication requests so that only
| a key with the specific User ID of the provider is send.
Shalom-Salam,
Werner
--
# Please read: Daniel Ellsberg - The Doomsday Machine #
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180621/8070e6d0/attachment.sig>
More information about the Gnupg-devel
mailing list