On Wed, Jan 13, 2021 at 10:22 AM André Colomb <an...@colomb.de> wrote:

> So the core problem, as with Stefan's case, is the lack of control over
> the domain's DNS settings.  Which the WKD mechanism relies upon to
> delegate trust to the domain operators.

Hi Andre, I wouldn't formulate it this way. I already mentioned that I am able
to set up for my 300baud.de domain a couple of droplets and use as suggested
a valid wildcard subdomain cert, like I explained with the bund.de example and
I am pretty sure that GnuPG and gpg4win will then fail, same as with GitHub.

Regarding Neal's attack example, I also posted here an idea to make it for
Mallory harder, to exchange (a) key(s) from a host, serving a WKD directory,
which also does not break the specs, by simply adding to the policy file
the fingerpint(s) and putting verifiable .ots file(s), in for example,
the hu folder.

Best regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to