Adding support for fetching GPG key using WKD protocol

Vincent Lefevre vincent at
Mon Jul 9 08:16:28 UTC 2018

On 2018-07-06 15:45:08 -0500, Derek Martin wrote:
> On Thu, Jul 05, 2018 at 09:47:51AM +0200, Wiktor Kwapisiewicz wrote:
> > > Does this mean that WKD would always be enabled?
> > > If so, this potentially leaks from whom email is being received to third
> > > parties, and I will patch my copy of mutt to remove it.
> > 
> > It is triggered only when you want to send an e-mail *to* a person
> > AND explicitly enable encryption AND you don't have their key
> > locally. Then it queries that person's HTTPS server.
> So... This isn't really too different.  If the config option somehow
> got set unintentionally, it still potentially leaks information, even
> if it is on send rather than on receipt.  It's actually worse, because
> it leaks whom you are actually sending messages to, rather than from
> whom you're receiving them...  Received messages could be spam or
> other senders you simply don't know.  Sending messages is a concious
> choice, so it reveals something material.

So, perhaps if the WKD protocol were *also* used for received messages,
this would be less problematic.

Vincent Lefèvre <vincent at> - Web: <>
100% accessible validated (X)HTML - Blog: <>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

More information about the Mutt-dev mailing list