On Tue, Jan 19, 2021 at 7:06 PM Stefan Claas <spam.trap.mailing.li...@gmail.com> wrote: > > On Tue, Jan 19, 2021 at 1:14 PM Werner Koch via Gnupg-users > <gnupg-users@gnupg.org> wrote: > > > > On Tue, 19 Jan 2021 09:28, Neal H. Walfield said: > > > > > When you look up the openpgpkey.example.org domain, you are revealing > > > to anyone snooping DNS traffic that you are using OpenPGP and are > > > looking for a key related to example.org. That's a privacy issue. > > > > No, it isn't. The next thing you do is to send the mail and get a > > reply. Get real. > > I share the same sentiments as Neal, why? > > I am aware that the whole WWW can be scraped or searched in about > a couple of minutes and let's say in my GitHub case I could imagine > that for an explicit openpgpkey subdomain it could be possible to > get all WKD directories, with an openpgpkey subdomain part, in > case GitHub would do this (which they will hopefully not do.) > > And at least we have the direct-method for usage without an > openpgpkey sub or sub-sub domain part. So why give WKD > enthusiast not this option and out of curiousity please try to > explain to us why the current draft say MUST and not MAY > or SHOULD? I like to learn, because WKD is freaking cool > with OpenPGP apps, like sequoia-pgp or Mailvelope etc.
Example: Mallory sitting in the United States likes to prepare a list (without my consent) and published on a U.S. site, so that like SKS key server dumps the whole world can obtain a list of all openpgpkey subdomains. So far so good. Mr 'edge case' Stefan knows this and counterstrikes with his domain radio-eriwan.su (which I own) and set's up for Mr Mallory a WKD direct-method dir with n dummy keys. Good luck Mr Mallory figuring out which domains have real OpenPGP users keys hosted and which not. Best regards Stefan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
