On 2021-01-20 at 08:08 +0100, Stefan Claas via Gnupg-users wrote: > On Wed, Jan 20, 2021 at 12:41 AM Ángel <an...@pgp.16bits.net> wrote: > > > A list of all (well, most) openpgpkey subdomains can be easily > > created. > > Yes and I believe that what Neal and you (in your new posting) have > explained makes it only worthwhile for Mallory to start his work, > because he has such an openpgpkey list created.
No, no, no. The idea of my previous mail, was *precisely* that there is no point for Mallory to do that. Counting wkd servers can be interesting for statistics, measuring adoption, etc. but that would be of no use for an attacker. Ok, let's frame it a bit different. I will give a game for you. Last night, I prepared the domain wkdtest.pgp.16bits.net It is a valid wkd server. I have just created and uploaded there a new pgp key, and you have to obtain it: «We have intercepted the following communication sent to an spy using an undisclosed openpgp implementation. Based on the detected network traffic, we are sure the key itself was downloaded using wkd, and the domain of the userid to be ‘wkdtest.pgp.16bits.net’ Your mission, should you choose to accept it, is to find out the name of the spy to which this communication was addressed: -----BEGIN PGP MESSAGE----- hQEMA80mh7+7fSYkAQf+PAyI1VWXZRST42basod3Rk7/44hi8nw+ARdmEy61esdJ qIWQvz2qyPJsmS5if5xfUhwzmGI6itNC+wqIrNNo5AGt+qzkHHYZswuaintmk5IF Wrh6xxHdiH1q2UMgl/SGhEQcPStUy1GdTUcx9wygjmSQwdgQhimezmdbhhoYQ13s hlZ001IhiGkBse8V+qK0g7vhWCO5XTHwMLMr3I1twcRbow4RYtw1BGp4mco1llgm BkRpAL+WFw/CFBp7W7Dn9Yz9wN5q7LDLlyO3sGmWex7IcxD2McHSYNR7roiPjwu8 5ke+MO7CM3VHmMyx1eCAXRJY7RwDvIYaZLJHbtai+owuBAkDAjJqwNFYeYiW6r/E 9KRfCCy/LsKDQW7rWCs0dLW1BM5xswAIk/SzaJDTMNJQAW6yb7Le32ao1MsEfx47 EAwlArtFZTWZvwiICcBHFPbJ8V6+mHRr4qjRKQFIE96zGCLQHnoZfUjhl+Hb5zPb +L3PfKDvYARTEOJvj/4w2Tc= =6hHu -----END PGP MESSAGE-----» Can you figure this out? _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
