[openpgp] Web Key Directory and CORS

Wiktor Kwapisiewicz <wiktor@metacode.biz> Mon, 25 March 2019 21:09 UTC

Return-Path: <wiktor@metacode.biz>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04CE1120824 for <openpgp@ietfa.amsl.com>; Mon, 25 Mar 2019 14:09:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=metacode.biz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4-Js3sYyQHSI for <openpgp@ietfa.amsl.com>; Mon, 25 Mar 2019 14:08:59 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5ECB812082F for <openpgp@ietf.org>; Mon, 25 Mar 2019 14:08:59 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id p14so8208515ljg.5 for <openpgp@ietf.org>; Mon, 25 Mar 2019 14:08:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=metacode.biz; s=2017; h=from:openpgp:autocrypt:organization:to:cc:subject:message-id:date :mime-version; bh=X1aKZwBu10v5IIHSEWezPiPHgPTHQ5cqxy8DkbTFumo=; b=xAVhiFtFFgJmOloQ73oCPj4wqr6M4QnobayP8hd3URXwsg8zEqo4FRMxzfPTkzEzAS 7vuwCXYAgvsJw2ACA7fBiX8GLwoYuKu3YEb4lPm8cOKqmi9S2YxzmZAEuQOBBH7oDlNH KI89U0QrRiGbjqAK8dCllBS44OINwkZ3vYmp6p7qpVUOxfnA26LEAh0JLF3/C1gEqkmR k+i6S3D/X7jW660eVZmBZsbaaKTRjWmm2CMq28tmLY/PU8igQMYTa+R21faumyuYHK/7 ipws2lUF4QZSatT+5PeL8ejEoTyeo36z7Ckv54J3mC/EMZiKfLYK3i2YQ654h/xGVN9F KKeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:openpgp:autocrypt:organization:to:cc :subject:message-id:date:mime-version; bh=X1aKZwBu10v5IIHSEWezPiPHgPTHQ5cqxy8DkbTFumo=; b=cd/GzmgQ+Cw2iWHAlMiQGj6iJe84dIpi7epIIM1ZrDbfncKYUFOFl3tA7wmEdEU6SQ mRTmSCELgWJEEiSM8s62SMbACLz5brAWzQRSz1fYsG+esujFTtipM8SQcRakCC7XX0VR IwMJvSHmM8/nC4JIRLi/xfONdapmKD6X2CJysfoIIktnQG80fG1u7hCIIPSZQRBEKI1R WUymJvU+BZ2Ap84v/IWifQJRDLqy/mqkWV36FgtrbXYBgMLxR+pDcklepXSDumTHZLGr Y4O8voOIpduijdCDrMtcMYcVg276MdVq+Vd4hkrclkAwchqdOeF8chXnbeuL8VUTWcGj lF4Q==
X-Gm-Message-State: APjAAAX65VCwxbm5rg4wj+jTYbQdiQ9euY5ksI5EkuM6JKhtF1JnVyfM 885wags1HKvz2iPg8XPacPPWwfnjWK00Zg==
X-Google-Smtp-Source: APXvYqwwPMHWIemvutzqTkMNvte2kduPtfNuwWXmRiWaA5dh2xI7Bt/rTGg7k69OLe6L3HLQZxnpCw==
X-Received: by 2002:a2e:8582:: with SMTP id b2mr154514lji.24.1553548137196; Mon, 25 Mar 2019 14:08:57 -0700 (PDT)
Received: from ?IPv6:2a02:a317:4e3d:46f0:8257:3c28:8576:2eba? ([2a02:a317:4e3d:46f0:8257:3c28:8576:2eba]) by smtp.googlemail.com with ESMTPSA id p22sm3541114lfh.93.2019.03.25.14.08.55 (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Mon, 25 Mar 2019 14:08:55 -0700 (PDT)
From: Wiktor Kwapisiewicz <wiktor@metacode.biz>
Openpgp: preference=signencrypt
Autocrypt: addr=wiktor@metacode.biz; keydata= mQINBFhoYHoBEADzmg9UuwDrtvyejU01gDY1J1iJiCi4XGJ4lCfYeLC2jSagIxU/5Lu0lRft 0Loi2tsjpo0c8docP7HFxafEEvnnt/iabd6I536llMuw0uno4PgnD3ljcCMZLT+vn+amIDta lzVoMnSqzoNUotMNMtjIFuAaQ/wr4/Mp9CIgJdviGUc3PscqUiiUVVtk6uF0x657NULZgSIT /Mrqlr2i4RuyPwXe2Qt0uEA3KWWjF0l2NpAMVrqz+nHsLoNOaAsfdx94bzKQrrSeSQqEO2f+ /eO/hbUAFAmEhrotmUO8wJNygo8TgkdlzFI+UE4p8/KW0aCgGGgR8YkCvHq2OQhAAYFNJoNz Hqw0FGxdsY8qWFkYpoSB8zKspNy8KliofCamMYXoPF7eVIxIiKvxrAykGP4jNnzSoV0cn+bY fXnox1IhnqbnoJIT7kTmXv4JmWoYm8ThHqpEgcQOUUQzSRXb9OiNwiXT71ijeO1qswMRpsgk 6AGKSZGWxa3c4ive/p8z1Ax27BFZSh2FceIcMCcGLrDjnQYgeFsAJ1jSxZQXkGuJFHfb4nff Big7aq/vyKrQFQXG0NQQL7rZAdk/s665vifos0yPmRDu7yDT1ggdyBp4Pa4re+ZJcNRNzNHo zU9al+CoImCQjnTtKMXmOe/BzGrpHI4QR3NNzVa423WCIWkHfwARAQABtClXaWt0b3IgS3dh cGlzaWV3aWN6IDx3aWt0b3JAbWV0YWNvZGUuYml6PokCxQQTAQoArwIbAQgLCQgHDQwLCgUV CgkICwIeAQIXgHMUgAAAAAAqAEB0aW1lc3RhbXArYml0Y29pbi10cmFuc2FjdGlvbkBtZXRh Y29kZS5iaXphZmNiMDkyYzVjYTY0MDk1MjZkMThhZTljZjIyZDNiNTVkMzdlNzIzZWIxYjc0 ZTNmODRmN2U2YjA1MmExNjJhFiEEZTkJovDjfBBvX69UbIhX4Njo8HQFAlu193MFCQWi18oA CgkQbIhX4Njo8HSAThAAqaqrTGO7eM+ljzGCtJm5rucXZ47bdwq9n4Yh/KKZd6DxM1IBUpyi nBdUVSJv3ffQ8JSFbGGfg5zR2v/3LLrVvpQMH4pj1OxS81dRVSfJ29wJPJmMW/d7v8sCSFu4 obAEVyw/y0o0W5HFr2i/v/i0/USI2uFjngZ2nq3E4+4JnBheMadX+M52CiMKRyaSxVam81Jv B/pd77sB8dmjYojZ59RqqIYh1VRc09LrNGucX2u2moZmiI+W9xV+9NTTAfKkUDAFQ9tr0blq +320VwEMCYDFJFzDqOLF119lRTaiKVwNpfCcrP3dTPToOorGLFbFrK9Ozp3I/NZT5Hrw+5yQ ZW+OXOAj2ToZ2piFBbCVUNNF2rvwt++VyHHyOmF1PnD1F496P7Pz3PUQlmpnilGD/2z1Tenm OabzFNGZVL+Tp0wpJc0aiAGS0j1GPWQONEuW1V+MrLciG9To91ROIH0TdrYS5u/lNIn3Uurs Iqn0astxXgYYIJ1zdG7oxFVbtegK3HvJQade2U/w77aWvT2NknNzRBg1BR0srJ5QaaP1idsT aGUO+hZhvpNZ9CIgBNd8CF3SLWOzwMOoxp5UbQWlA2UyR0b0QoiU96oMLz8k06BIGIeS4A/H u7xzYXdkZnau4gNDL6z8MgIUcqdL81xCOr3wQTuK83Dj0Sr6dac01fy5Ag0EWedg9QEQAMtP WapVDrMX6MPhP2O6ekoPG+C+sw9B/PejBeO6A19Z4KS7j8oCNEDG2Il+KEK/1KHWhyuTdjDE ZKeJg80N2Xa9FpFSth5b1XGXwJqO55a4r4vNKA+gr95k4gCbdsPqVIdQ2XMZTRT/xUuWlv5V x29Ek5oO9c7mrUzQLY0zeq2TFFWnq9YeAjrBq3zB7niCgcd1heWBddJZaToBvBu7yOcakmos YfMPnv0iHYrUVjfM3/D0KBE/IXud/MRNJW+503BA3nD6VqS8ge3C/TDADCiJ7LADFPi/+HJ1 diLJBHzVgLpOhCSJGkFIlry2TqtjAiAKZ0PlccIU51N9Mn0BykiK3Zcd3BTayVoLk6YbnchN NlbuPbD/PoRmbyxw3EIWlajgNAwNDqEebMw3MP7tMNZk6hs/vk7uJWIjTUv6qgj77NLawoDg qs4mnwxSTT1hL4LXAQ5vHc6Ap7fcPyF+oaU8iyN25WQcg9dK0PjbvT02MbooYK1eWDKpahe6 v8DdvU/p8P2g7w8DUCBfWdj36OtDgYltVKDAajiveDQDelwntjbtLr6SaxbdhO8Ni2NUnRMW 5/3b+ngbIwqHEaMDeijllt27cPQ1MDMEiU4Add3/8+5Cypl3vkw1en5OSxztp/jSsvsmbIu3 guYfcul7Vd3g5PlwcAZ8BkyrYpjTkpL1ABEBAAGJBFsEGAEKACYCGwIWIQRlOQmi8ON8EG9f r1RsiFfg2OjwdAUCW7X3zwUJBCPXTQIpwV0gBBkBCgAGBQJZ52D1AAoJELl6HuCdtBfs0+4P /R5gKp160iDCdLDTVQbzxlfEufC2rYlj0LyyBZWMdE8Hx7t7nDgM7jFa6Hte2lm3s9viIaOV W7J6jnDMDbsFirHOdI9Yx5gCdVWVj32+lnyTAU6sik+Az7vfm5/f5n9yKdr7w1X91TzaAdpF ZJs/HAyaK2l6A+VY45FHOBOUE2QkE7F1IITXUis2r7wuMRHoznfy2393ioHsOTiMD+Yi9ZMm w/oDuvPgUb33SgM6RHeCev7h49WowjE3VEpwcCegNVhseSD1XLMVu5nu0tHniJUvOGcfpCqc 4EkU9cmss9s63ET2O+PLbYN4HpDnzt1Nfid4fdvqWle7+mT0c/5gWpjUfhjZm6CteFlrYdlI FPJuej5fBqBhH/wGJ5eAptyRlCFDytR6WI7CR6Hv/sfVc9QT3GGFh2gQ7j2E3cRZi8VkyycC sp8ioPyK2eXnnqbzmbNDlXaHY5cZjCXyBmURqHoHmwpkI83FqWXL4c2GI7rGekl2VK/yZVlB XCLzuuWqworAUwEJH02USiRaz2OBJBzJKMn/SyCcNEXffsIbUFQSSdBSZtUX0w0gpILUxG6l y4SATpPWXUJ24VFx2W8AdyavMYl9RIDosqmfdP5w5C7rZdRxKJAF7bZSgrcNAeSkFikn4UQE iOpAbDiZOLyMtmPbs03S103QApTls+e8bmUJCRBsiFfg2OjwdLfXD/4iceGw3oN8d2A3JsAp nkWTcmrt7pPW/dr/BD0owAjlJjwismpgt/0k0eTwccR4ab2N5uVdh1jiuOBol4B6L1jJebHR Zlt7QvXRVl5hynNW8lDAsq4uWOFg/n6TDLslt83qIPYc/o1Fks5tf5HX0FcEQx77o5GFD45q 3z9ubG9qST2Lavv9hAxON3vTbMHz0o/pqU7bWw59lqtiEqm3nQgRwEc6cOgHISD3IYkwTnV8 VjLDb4VLQXlXp8hdwAGIXmD5WyJGYhbmk5YfGafzZQR0Rku/JOgzqntwI0RVKgHRWXGsxq/r IPJH5o2QjnplTMVTT50zp/ieOpNHTUX27q9bH/ivozh3zAejlgS0HNXexebwxuQct6XXcfoa zshOXsVrrqmBw4r1uO2p1HCbY0mlwNek28IQ3j481uUWT94bkfDnp1SeY4CDl7nRxApXdhEl NWAER7mVnER76YGu7NL0zV9/Sa8+V5a3vpn1WEZL6muHZ32K45pfuoj/zLpkTmnn1X8So8Qv 95Z+gJP4iz1HUEW9qqFZvsEeTS6hRoHE/1SZG6keVsPkRtdVlgwA3YJOmaN03ZtQz0Eqo9Fd hxkgfM3h8swZkxfzpsjgDs6e/1yizHNyGnQSAojxdvtVdHhO7smUt5RYCjTmWgkCh2SXVBXh vlYAytc4Xwluk16oe7kBDQRbP5UtAQgAuaF9695bhe3MzBfFBcSc+eV7rzUbOLRI6B86nKqH uPkScnzQ7bKYHr2CKtVkysPx92WLHdsGaZDNyPgSZ/Xnh2SrO+6l0GRjeTwQeua2aC4zMfqh 2usB+JSGDGFu3gfRxzLE/+RNyCwUkc2SMCYpnf0HSDCkqyeZjzJAHfvfsaG+cyhzuS+aW0LS UhktJte/4QNJAkyyPPOYS7U9ybCPylsLgGA608LGss4f4RvzYHQNyPMZa0AiwtBBSaMR5Dfb Qsl3ij5ayD2MjAdYx06NYjVdAkBqZPs3+gwP8khnycXd9JLCWfMuasQ+N80tGH32DAtNQnrq j6BmdhcvVcYTgwARAQABiQI8BBgBCgAmAhsMFiEEZTkJovDjfBBvX69UbIhX4Njo8HQFAlu1 988FCQLLoxUACgkQbIhX4Njo8HQpcRAAvsOQsP0C2CsBSvBNRRg1As3u+WMyTmBM419K1R1W yQZCPqEiaQ65TBnDIXSCsm1w25gMFBjgvOt9evEHowJMsX9Y0kSgXCMeM6AHaSnktpnxTiAR bSVvv0c5CMGIuLBR+I6ySF9YYzP86y9dTydemkZYQJkQJlfO8bOt2TdeUSp8vsGoAdSuCmqz aBAuGwlkXs7M7VCptStbjFqgX5wwX6AjIL0K7toNIMGZXuZBFFFQhjFmie+r8es7Bqvuzd7b pdynHtlDDoogfqvUHLuRuRpBZNkN70dtycBF2lgQZYyrqDjSUJQhWdAUKAYFdjn3wcrAfTd/ GyygsUBtDpKZpaDZgdYoPuRt/NeHEr6G71SDCQBEWWm6MzE290K82UAUy9VnuyuQ0y+Q50nS UP9mkvXPtGTY1CmHZi5r7skRYkd16yCEbkJIcjpmbaIvWSvqRTnGqLrkgnBfC0M3bVC40G5m 3P6WOq8I6dPLk7IGMr3muo9/RAXjDwzpmPhfVabz/23k+xKKTC3aTlMvBcet5xPtfMB6aDQl OPyWOA+eTe/EAfpu/M0n4sTmBFDUfUUNnlYFsKvPsRZ7Rzeib0auZ/r0gKCBrB9abncemayR F9yJmkBISgT8SrZ4ukmBsgCugTEk4KmI35f5FPgqxIAhqkFB74/autmGQnF0P6IMzAO5AQ0E Wz+VagEIALfzaIAu2prgEE+mmLpd5Z2o+w5ombyxvfUAaEzUWkIyaWyndzL7tKX2ofhp0EIn MTjtxjrj1VnnE1TCwSgxV/C/Flk6tjRYcKGVeeTAXFYFbDu2vUh1i1MM67Hyh4fRvu+1DasV JXZCk0SI7NBkgor6VVydttheJ2D9FJWLFEHDaPWEuZvL18MGxsoD0c6Vq+XOQYev/VZgh91m eTtegUajYnrTgW6lSiK43cObi/UmRS2FuDpLCzl+9D7zM5/XNAViFFUgMDCWBsJZDfsRYkSm ZH4dfmi3OAphGRrLbfaaKhwmQFFFZ4U4I84Xl7MGIFKR2Mbav13l9hOb5CyviQ0AEQEAAYkD cgQYAQoAJgIbAhYhBGU5CaLw43wQb1+vVGyIV+DY6PB0BQJbtffQBQkCy6LYAUDAdCAEGQEK AB0WIQTvHuD6lCD4BP3vwCaX/e802rj4KwUCWz+VagAKCRCX/e802rj4K7naCACEcQYkm2Xq LuNpI9XCzadE28KPT9BnEJtzo6zLejYcJEpjmbWM55+vkyaMR1anxrBcDl4H7SStucysLFKR le6eBncK2EZ/qxxSpK7Idlyo4lVrVVA+Ug/3BgYDOnTIIakK2sy25gfAFas3pmsmF/bvcOTT MTFXuGbs3tdnToAH9ML/kT11ccZ9JlWJcTlo4qHelS594NuGk7/mzeoZnLIxiUZUKQQNA1bE qfcGMZTAnbWk4cwnzkk6EDl5mDCZl5nd3kqACTUEZUgEZaz+crIjG4EtPBLpGy/4b7Opmsny gNtkTua4wkKhszeAVKksOETMUEEDs/wTv7CmO0XSAkbWCRBsiFfg2OjwdOW1D/sGdJczydRD diLy09AcJThxcen/YrkAEpsfoWTeBhYBFJByAanuhMx4DWjyS5+AYmsXFKF9A4xiaVgvr9z8 NVIxISv/xLPApyNrfJ/0F8CnYiWtn+7cy4Va00gaahGbOjfn/G9vbE/6dDtvm6fAMbXhwZxa Q4emZOa4vAxE+2yuMWHVEOUIcB6/JhC+SoCbHXM9+jDFdVJYLHCeiIPEz4BUNFMOdVtY4pYp ah58ZPEy/jjILPdxmH0t6KhGSRwzL9/f7WFWzXuO2xi7dALD8r8NSaQKnAxC8cItk/r3RkIx B3G9PhBmfDN0iaBZKrErk3ItpHoizSW7n84kzXODEShvT20Emh5CJ8tRrIHRgRv61hGBtK3y sSUqllw/O8Q2X952bk+7Yxr79z9fbepEmf9GvRwIWc/37pT//b74UvJW/qxhPSQij/Ira97P jLEJpB03qdT1z7/wy76EI/botldwu5gO8MAaOUEVa4OUGHunOJdnVB8QHiD/7WcIyV9OMnXQ mMlzFwNCAdbogaGQhAyRkSyZr2hR71jhSik7859Y29/DdLKQxwdi1zXUS3nTb+/ClxGKD8D4 5joqgukB5JIDmpwewZLHm44tBxcJzQHcJaIxyBLkRgit7Ralb2mKm6SP4nyqs2+5LhzxUEDJ XRujRx/4fbU1SFqd+BeXB+jRlw==
Organization: Metacode
To: Werner Koch <wk@gnupg.org>
Cc: openpgp@ietf.org
Message-ID: <02531d3b-c743-6c34-f93b-0bd7a087aa5c@metacode.biz>
Date: Mon, 25 Mar 2019 22:08:30 +0100
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="Buh4bKdUcHWAgScD9GRuepUFFRuWBjO2z"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/0kU_BcFOgngoa_H5LZUP9I35CQc>
Subject: [openpgp] Web Key Directory and CORS
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 21:09:09 -0000

Hello,

I would like to ask if it would be possible to add a mention of CORS 
header [0] in 3.1. Key discovery [1] in OpenPGP Web Key Directory document.

I think it could be added somewhere below:

>    The server SHOULD use "application/octet-stream" as the Content-Type
>    for the data but clients SHOULD also accept any other Content-Type.
>    The server MUST NOT return an ASCII armored version of the key.

And the wording may be something like: "It is RECOMMENDED that the key 
is returned with 'Access-Control-Allow-Origin' HTTP header set to value 
'*'".

The context of this change is the following: without appropriate CORS 
header JavaScript code running on one domain cannot access resources 
hosted on different domains. There are web applications that would like 
to fetch the key and encrypt data purely in the browser and send only 
encrypted blobs to the backend thus minimizing attack surface somehow. [2]

OpenPGP.js today can do WKD lookups, but without CORS header set it 
cannot fetch keys from any domain [3] thus making WKD not usable in the 
browser [4].

One similar paragraph, recommending CORS header for 
"/.well-known/host-meta" can be found in XMPP [5].

Thank you for your time!

Kind regards,
Wiktor

[0]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

[1]: 
https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-07#section-3.1

[2]: One such site is https://pipefile.com

[3]: This was pointed out by Sanjana Rajan:
https://github.com/openpgpjs/openpgpjs/pull/714#issuecomment-392609354

[4]: Thomas Oberndörfer mentions that "For regular web pages, CORS 
header would be beneficial":
https://github.com/mailvelope/mailvelope/issues/580#issuecomment-394690051

[5]: https://xmpp.org/extensions/xep-0156.html#impl

-- 
https://metacode.biz/@wiktor