Werner Koch <wk(_at_)gnupg(_dot_)org> writes:
On Fri, 7 Dec 2018 15:44, hanno(_at_)hboeck(_dot_)de said:
I think it would be good if the WKD draft would be updated to clarify
that a client should never answer to any 401 authentication requests
from the server.
Is this okay:
A client MUST not accept a HTTP authentication challenge (HTTP code
You should capitalize this as "MUST NOT" (and not "MUST not").
401) because the information in the Web Key Directory is public and
needs no authentication. Allowing an authentication challenge has the
problem to easily confuse a user with a password prompt and tricking
him into falsely entering the passphrase used to protect his private
key or to login to his mail provider.
Shalom-Salam,
Werner
-derek
--
Derek Atkins 617-623-3745
derek(_at_)ihtfp(_dot_)com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp