Re: [openpgp] Enigmail XSA issue with WKD and HTTP authentication

On Fri,  7 Dec 2018 15:44, hanno(_at_)hboeck(_dot_)de said:

I think it would be good if the WKD draft would be updated to clarify
that a client should never answer to any 401 authentication requests
from the server.


Is this okay:

  A client MUST not accept a HTTP authentication challenge (HTTP code
  401) because the information in the Web Key Directory is public and
  needs no authentication.  Allowing an authentication challenge has the
  problem to easily confuse a user with a password prompt and tricking
  him into falsely entering the passphrase used to protect his private
  key or to login to his mail provider.
  


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

pgpnANGHr6THz.pgp
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:

Re: [openpgp] IND-CPA security of OpenPGP's ElGamal implementation, Derek Atkins

Next by Date:

Re: [openpgp] Enigmail XSA issue with WKD and HTTP authentication, Hanno Böck

Previous by Thread:

[openpgp] Enigmail XSA issue with WKD and HTTP authentication, Hanno Böck

Next by Thread:

Re: [openpgp] Enigmail XSA issue with WKD and HTTP authentication, Hanno Böck

Indexes:

[Date] [Thread] [Top] [All Lists]