On Wed, Jan 13, 2021 at 10:22 AM André Colomb <an...@colomb.de> wrote:
> So the core problem, as with Stefan's case, is the lack of control over > the domain's DNS settings. Which the WKD mechanism relies upon to > delegate trust to the domain operators. Hi Andre, I wouldn't formulate it this way. I already mentioned that I am able to set up for my 300baud.de domain a couple of droplets and use as suggested a valid wildcard subdomain cert, like I explained with the bund.de example and I am pretty sure that GnuPG and gpg4win will then fail, same as with GitHub. Regarding Neal's attack example, I also posted here an idea to make it for Mallory harder, to exchange (a) key(s) from a host, serving a WKD directory, which also does not break the specs, by simply adding to the policy file the fingerpint(s) and putting verifiable .ots file(s), in for example, the hu folder. Best regards Stefan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users