Hi Bart,
On 18.04.2019 20:21, Bart Butler wrote:
This is a good point and I do not think it's been discussed before. The reason
WKD can't use the TXT record is that browsers can't look up TXT records, all
they can do is try to resolve domains.
Oh, I was not suggesting adding TXTs - believe me I'd like to have a
good Web compatibility too (that's why I asked about CORS previously,
and well... added support for WKD to OpenPGP.js :).
I'd say that this is less of an attack vector and more of a 'mischief' vector,
and that public suffixes can easily protect themselves if it ever becomes an
issue. WKD client implementations can also use the public suffix list
themselves to prevent the problem--a quick search yields libraries for lots of
platforms. Maybe this would be a reasonable suggestion to add to the RFC, but
it also doesn't seem critical to me.
Got it, thank you for your remarks! I was thinking about using just the
bare domain lookup (without subdomain) that avoids the issue altogether.
And if someone wants to delegate hosting keys to someone else adding
permanent redirect in HTTP server is usually simple (Nginx example):
location ~ /.well-known/openpgpkey/(.*) {
return 301 https://example.com/.well-known/openpgpkey/$1;
}
Kind regards,
Wiktor
P.S. I'm eagerly waiting for ProtonMail to add support for WKD too! :)
--
https://metacode.biz/@wiktor
signature.asc
Description: OpenPGP digital signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp