On 2018-07-06 15:45:08 -0500, Derek Martin wrote: > On Thu, Jul 05, 2018 at 09:47:51AM +0200, Wiktor Kwapisiewicz wrote: > > > Does this mean that WKD would always be enabled? > > > If so, this potentially leaks from whom email is being received to third > > > parties, and I will patch my copy of mutt to remove it. > > > > It is triggered only when you want to send an e-mail *to* a person > > AND explicitly enable encryption AND you don't have their key > > locally. Then it queries that person's HTTPS server. > > So... This isn't really too different. If the config option somehow > got set unintentionally, it still potentially leaks information, even > if it is on send rather than on receipt. It's actually worse, because > it leaks whom you are actually sending messages to, rather than from > whom you're receiving them... Received messages could be spam or > other senders you simply don't know. Sending messages is a concious > choice, so it reveals something material.
So, perhaps if the WKD protocol were *also* used for received messages, this would be less problematic. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
