On 28/10/2021 12:25, Bernhard Reiter wrote:
Am Donnerstag 28 Oktober 2021 12:07:52 schrieb Andrew Gallagher via Gnupg-users:The megathread from hell starts here :-) https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064567.htmlThat is not gnupg-_devel_ (where I was searching). :)
To be fair to Ingo, he did say "here OR on gnupg-devel" :-)
Interesting to me is: https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064584.html Ingo explaning that it is considered a security drawback if a domain for the advanced method is there but does not allow a connection with a valid TLS certificate. The understanding of the current draft therefore is If the subdomain for the advanced method resolves via DNS, the direct method MUST NOT be used.
As Werner pointed out on the other thread, the mail provider can disable the advanced method by creating a TXT record for openpgpkey.mail.de - the existence of the TXT record will prevent the wildcard from matching the advanced method's A lookup, and gnupg should fail back to the old method.
The ball belongs in mail.de's court IMO, however the confusion is understandable.
On the other hand, if I trust my email domain webserver, the DNS provider can create the advanced method DNS entry and attack me. However this DNS provider could also just change the entry to my email domain webserver.
Indeed, if you don't trust your DNS provider, you have worse problems... ;-) -- Andrew Gallagher
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
