Re: [openpgp] Enigmail XSA issue with WKD and HTTP authentication

On Fri, 14 Dec 2018 10:02:46 +0100
Werner Koch <wk(_at_)gnupg(_dot_)org> wrote:

  A client MUST not accept a HTTP authentication challenge (HTTP code
  401) because the information in the Web Key Directory is public and
  needs no authentication.  Allowing an authentication challenge has
the problem to easily confuse a user with a password prompt and
tricking him into falsely entering the passphrase used to protect his
private key or to login to his mail provider.


Sounds good.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno(_at_)hboeck(_dot_)de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

pgpaK1zsnhWKO.pgp
Description: OpenPGP digital signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:

Re: [openpgp] Enigmail XSA issue with WKD and HTTP authentication, Werner Koch

Next by Date:

Re: [openpgp] Enigmail XSA issue with WKD and HTTP authentication, Derek Atkins

Previous by Thread:

Re: [openpgp] Enigmail XSA issue with WKD and HTTP authentication, Werner Koch

Next by Thread:

Re: [openpgp] Enigmail XSA issue with WKD and HTTP authentication, Derek Atkins

Indexes:

[Date] [Thread] [Top] [All Lists]