Adding support for fetching GPG key using WKD protocol
Vincent Lefevre
vincent at vinc17.org
Mon Jul 9 08:16:28 UTC 2018
On 2018-07-06 15:45:08 -0500, Derek Martin wrote:
> On Thu, Jul 05, 2018 at 09:47:51AM +0200, Wiktor Kwapisiewicz wrote:
> > > Does this mean that WKD would always be enabled?
> > > If so, this potentially leaks from whom email is being received to third
> > > parties, and I will patch my copy of mutt to remove it.
> >
> > It is triggered only when you want to send an e-mail *to* a person
> > AND explicitly enable encryption AND you don't have their key
> > locally. Then it queries that person's HTTPS server.
>
> So... This isn't really too different. If the config option somehow
> got set unintentionally, it still potentially leaks information, even
> if it is on send rather than on receipt. It's actually worse, because
> it leaks whom you are actually sending messages to, rather than from
> whom you're receiving them... Received messages could be spam or
> other senders you simply don't know. Sending messages is a concious
> choice, so it reveals something material.
So, perhaps if the WKD protocol were *also* used for received messages,
this would be less problematic.
--
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
More information about the Mutt-dev
mailing list