Hi Wiktor,
This is a good point and I do not think it's been discussed before. The reason
WKD can't use the TXT record is that browsers can't look up TXT records, all
they can do is try to resolve domains.
I'd say that this is less of an attack vector and more of a 'mischief' vector,
and that public suffixes can easily protect themselves if it ever becomes an
issue. WKD client implementations can also use the public suffix list
themselves to prevent the problem--a quick search yields libraries for lots of
platforms. Maybe this would be a reasonable suggestion to add to the RFC, but
it also doesn't seem critical to me.
Cheers,
Bart
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, April 15, 2019 11:02 AM, Wiktor Kwapisiewicz
<wiktor=40metacode(_dot_)biz(_at_)dmarc(_dot_)ietf(_dot_)org> wrote:
Hello,
I'd like to ask about the (potential) issue with advanced lookup method
in WKD.
For those that don't remember what it is it converts e-mail (such as
"Joe(_dot_)Doe(_at_)Example(_dot_)ORG") into a URL that uses "openpgpkey"
subdomain of
the e-mail domain (in this case
"https://openpgpkey.example.org/.well-known/openpgpkey/example.org/hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe";).
[0]
There are some domains that allow users to register subdomains with any
name the user requests (with some exceptions). For example "github.io".
So if a user selects "openpgpkey" as a name and thus will be able to
host files under the ".well-known" directory they will effectively
intercept all WKD queries for e-mail addresses for that domain.
That is query for key for "security(_at_)github(_dot_)io" will go to the user
that
registers "openpgpkey" name.
The problem of domains under which Internet users can directly register
names also exists in browsers. To avoid various security issues w.r.t.
supercookies Mozilla manages Public Suffix List [1] that is used by all
major browsers. The list is quite big [2].
I did take a look at MTA-STS [3] as it also uses subdomain but in
MTA-STS's case they first start with DNS TXT record query and only then
query mta-sts subdomain so mere registration of subdomain wouldn't
trigger MTA-STS.
I don't want to suggest any fixes to the spec just inquire if you think
it's a real issue or rather a quite obscure edge case.
Thank you for your time!
Kind regards,
Wiktor
[0]:
https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-07#section-3.1
[1]: https://publicsuffix.org/
[2]: https://github.com/publicsuffix/list/blob/master/public_suffix_list..dat
[3]: https://tools.ietf.org/html/rfc8461
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
https://metacode.biz/@wiktor
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
signature.asc
Description: OpenPGP digital signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp