Hi Vincent,
So... This isn't really too different. If the config option somehow
got set unintentionally, it still potentially leaks information, even
if it is on send rather than on receipt. It's actually worse, because
it leaks whom you are actually sending messages to, rather than from
whom you're receiving them... Received messages could be spam or
other senders you simply don't know. Sending messages is a concious
choice, so it reveals something material.
So, perhaps if the WKD protocol were *also* used for received messages,
this would be less problematic.
I think WKD can already be used in mutt for received messages, without
any modifications to mutt but given three conditions are satisfied:
* auto-key-locate in gpg.conf includes "wkd" (by default it's
"local,wkd" so that's OK),
* auto-key-retrieve is set (that enables automatic verification of
signatures, by default it is *not* enabled, for example Fabian Groffen
said he has it enabled),
* the *sender* of the message creates signature by specifying their
e-mail not keyid, this is rather elaborate edge case but "gpg -u
u...@example.com --sign" adds user's e-mail to the signature (thus
enabling WKD lookup on signatures) but "gpg -u 0x123123 --sign" does
*not*. I don't know what mutt does at this point.
From other news I got the info from gnupg-devel mailing list from Andre
Heinecke that works on GPGME and he said [0] that:
You do it right. GPGME_KEYLIST_MODE_LOCATE (or an or of local and extern) uses
what is configured in auto-key-locate options.
[0]: https://lists.gnupg.org/pipermail/gnupg-devel/2018-July/033831.html
So setting LOCAL|EXTERN does *not* mean it will do network lookup it
means it *can* do network lookup if this is configured in gpg.conf
(option "auto-key-locate"). I've tested this on my sample program and
sure enough, setting "auto-key-locate" to "local" in gpg.conf does *not*
make network lookups even with LOCAL|EXTERN (a.k.a. LOCATE) in mutt.
LOCAL, that is used by GPGME by default, and currently by mutt, does not
consult user configuration in "auto-key-locate".
Kind regards,
Wiktor
--
https://metacode.biz/@wiktor
