Adding support for fetching GPG key using WKD protocol

Vincent Lefevre vincent at
Mon Jul 9 15:05:58 UTC 2018

On 2018-07-06 17:50:59 -0500, Derek Martin wrote:
> On Fri, Jul 06, 2018 at 10:54:20PM +0200, Wiktor Kwapisiewicz wrote:
> > If you're sending e-mail to user at and do a WKD query it
> > would reveal that only to But you're sending the e-mail
> > there so that user (or their server admins) would already know that
> > after you send that e-mail.
> False.  It would also potentially reveal that to anyone who was
> operating any part of the network in between your endpoint and the
> endpoint, as well as anyone who was able to subvert some
> aspect of the domain (its DNS, the webserver, etc.) by
> MITM attack or similar.  Or... other things.

If you fear about that, and this:

> However the mere revelation of who is receiving my messages can be
> just as dangerous, depending on the type of correspondence I'm having.

then, don't use e-mail, because e-mail will not guarantee the absence
of any leak of the recipient address.

IMHO, the default settings should be what is best for the average
user, in particular users who do not have much knowledge of
potential security issues. Perhaps the WKD protocol is better than
letting the average user decide what to do to retrieve the key:
for instance, retrieving it by plain http (not https) is perhaps
the worst thing to do.

Users with specific needs should be able to configure their software
as they need (not just e-mail, as leaks can come from DNS and so on).

Vincent Lefèvre <vincent at> - Web: <>
100% accessible validated (X)HTML - Blog: <>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

More information about the Mutt-dev mailing list