ietf-openpgp
[Top] [All Lists]

[openpgp] Web Key Directory and advanced lookup method

2019-04-15 13:03:08
Hello,

I'd like to ask about the (potential) issue with advanced lookup method in WKD.

For those that don't remember what it is it converts e-mail (such as "Joe(_dot_)Doe(_at_)Example(_dot_)ORG") into a URL that uses "openpgpkey" subdomain of the e-mail domain (in this case "https://openpgpkey.example.org/.well-known/openpgpkey/example.org/hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe";). [0]

There are some domains that allow users to register subdomains with any name the user requests (with some exceptions). For example "github.io". So if a user selects "openpgpkey" as a name and thus will be able to host files under the ".well-known" directory they will effectively intercept all WKD queries for e-mail addresses for that domain.

That is query for key for "security(_at_)github(_dot_)io" will go to the user that registers "openpgpkey" name.

The problem of domains under which Internet users can directly register names also exists in browsers. To avoid various security issues w.r.t. supercookies Mozilla manages Public Suffix List [1] that is used by all major browsers. The list is quite big [2].

I did take a look at MTA-STS [3] as it also uses subdomain but in MTA-STS's case they first start with DNS TXT record query and only then query mta-sts subdomain so mere registration of subdomain wouldn't trigger MTA-STS.

I don't want to suggest any fixes to the spec just inquire if you think it's a real issue or rather a quite obscure edge case.

Thank you for your time!

Kind regards,
Wiktor

[0]: https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-07#section-3.1

[1]: https://publicsuffix.org/

[2]: https://github.com/publicsuffix/list/blob/master/public_suffix_list.dat

[3]: https://tools.ietf.org/html/rfc8461

--
https://metacode.biz/@wiktor

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
<Prev in Thread] Current Thread [Next in Thread>