Adding support for fetching GPG key using WKD protocol
wiktor at metacode.biz
Mon Jul 9 13:50:30 UTC 2018
>> So... This isn't really too different. If the config option somehow
>> got set unintentionally, it still potentially leaks information, even
>> if it is on send rather than on receipt. It's actually worse, because
>> it leaks whom you are actually sending messages to, rather than from
>> whom you're receiving them... Received messages could be spam or
>> other senders you simply don't know. Sending messages is a concious
>> choice, so it reveals something material.
> So, perhaps if the WKD protocol were *also* used for received messages,
> this would be less problematic.
I think WKD can already be used in mutt for received messages, without
any modifications to mutt but given three conditions are satisfied:
* auto-key-locate in gpg.conf includes "wkd" (by default it's
"local,wkd" so that's OK),
* auto-key-retrieve is set (that enables automatic verification of
signatures, by default it is *not* enabled, for example Fabian Groffen
said he has it enabled),
* the *sender* of the message creates signature by specifying their
e-mail not keyid, this is rather elaborate edge case but "gpg -u
user at example.com --sign" adds user's e-mail to the signature (thus
enabling WKD lookup on signatures) but "gpg -u 0x123123 --sign" does
*not*. I don't know what mutt does at this point.
From other news I got the info from gnupg-devel mailing list from Andre
Heinecke that works on GPGME and he said  that:
> You do it right. GPGME_KEYLIST_MODE_LOCATE (or an or of local and extern) uses
> what is configured in auto-key-locate options.
So setting LOCAL|EXTERN does *not* mean it will do network lookup it
means it *can* do network lookup if this is configured in gpg.conf
(option "auto-key-locate"). I've tested this on my sample program and
sure enough, setting "auto-key-locate" to "local" in gpg.conf does *not*
make network lookups even with LOCAL|EXTERN (a.k.a. LOCATE) in mutt.
LOCAL, that is used by GPGME by default, and currently by mutt, does not
consult user configuration in "auto-key-locate".
More information about the Mutt-dev