WKD proper behavior on fetch error

Stefan Claas spam.trap.mailing.lists at gmail.com
Fri Jan 15 07:56:16 CET 2021


On Fri, Jan 15, 2021 at 2:04 AM raf via Gnupg-users
<gnupg-users at gnupg.org> wrote:

[...]

> I'm really not an expert, and the above might not make
> any sense. I'm just thinking aloud.

Me neither ... :-) For me, the questions I had is still unresolved
when it comes to properly explaing what security implication
it gives, when for example sequoia-pgp can handle this and
why the draft explicity says it MUST use the advanced-method
first.

Don't you think when GitHub, a major player, would have an invalid
SSL cert, that maybe one of the millions programmers there would not
have contacted GitHub, like I did, and say hey GithHub you serve
the global community and visitors an invalid SSL certificate? I must
admit that I also do not understand what you mean with sus-sub
domains. My GitHub page is sac001.github.io and not foo.bar.github.io
or whatever. If Werner had told me/us, hey look, according to my draft
the advanced method MUST been used because of this and that
security implication and it is not allowed in this case to fall back
if an (for WKD) invalid cert is present, because of this/that security
issue, I guess then I had a better understanding and then I guess
also the sequoia team would never had done it so that it works
with sequoia-pgp.

Regards
Stefan



More information about the Gnupg-users mailing list