Hello,
I'd like to ask about the (potential) issue with advanced lookup method
in WKD.
For those that don't remember what it is it converts e-mail (such as
"Joe(_dot_)Doe(_at_)Example(_dot_)ORG") into a URL that uses "openpgpkey" subdomain of
the e-mail domain (in this case
"https://openpgpkey.example.org/.well-known/openpgpkey/example.org/hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe").
[0]
There are some domains that allow users to register subdomains with any
name the user requests (with some exceptions). For example "github.io".
So if a user selects "openpgpkey" as a name and thus will be able to
host files under the ".well-known" directory they will effectively
intercept all WKD queries for e-mail addresses for that domain.
That is query for key for "security(_at_)github(_dot_)io" will go to the user that
registers "openpgpkey" name.
The problem of domains under which Internet users can directly register
names also exists in browsers. To avoid various security issues w.r.t.
supercookies Mozilla manages Public Suffix List [1] that is used by all
major browsers. The list is quite big [2].
I did take a look at MTA-STS [3] as it also uses subdomain but in
MTA-STS's case they first start with DNS TXT record query and only then
query mta-sts subdomain so mere registration of subdomain wouldn't
trigger MTA-STS.
I don't want to suggest any fixes to the spec just inquire if you think
it's a real issue or rather a quite obscure edge case.
Thank you for your time!
Kind regards,
Wiktor
[0]:
https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-07#section-3.1
[1]: https://publicsuffix.org/
[2]: https://github.com/publicsuffix/list/blob/master/public_suffix_list.dat
[3]: https://tools.ietf.org/html/rfc8461
--
https://metacode.biz/@wiktor
signature.asc
Description: OpenPGP digital signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp