Re: [openpgp] Web Key Directory and CORS
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 01 April 2019 04:02 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D316C120005 for <openpgp@ietfa.amsl.com>; Sun, 31 Mar 2019 21:02:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=+iZ3cUMQ; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=kjpaMTww
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qjz-nYky9G9b for <openpgp@ietfa.amsl.com>; Sun, 31 Mar 2019 21:02:29 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B555120059 for <openpgp@ietf.org>; Sun, 31 Mar 2019 21:02:28 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1554091347; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=TE6rVOB5quRoucIMerrgcv9s1u65tfaujCpHGPtngEQ=; b=+iZ3cUMQKa6f3kmbkgG+oGnvf1BZAt1ydIOqvGfwT1K9Ld+WSU43C61r yr+35gyw/VrmktoIKetif4Md8e/6Ag==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1554091346; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=TE6rVOB5quRoucIMerrgcv9s1u65tfaujCpHGPtngEQ=; b=kjpaMTwwATFbZIDkmA39LJluMqj2scDvPqWwDRp6FupCVYd0D9Di/vH1 Y8yXvophzWSzQRC0K+/nrtRjHOWlkBML/OMuXpnaJ+vZuW/uDQGLH7eTmb XburU9w7x8McrBxHlr2czKiyElxuNSbDt67AwqUak2oLJVW1Ihuo8gvVz7 DvaLEmImHIAjmJzplk9B9sammW7yOCteHuINAOZ2kBVyfR4eKxbxl3dL3c IFaZY23fYLU0Pv18kjUxy+WZAr3qqnCBbhjfa/1u2ptpAYhe/6fPb6A+LD /10uhj6fxj+41oVR05V80KOweNhEN2OnxhXoZVXD8h3pNN5SHH+/xw==
Received: from fifthhorseman.net (ool-6c3a0662.static.optonline.net [108.58.6.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 42A67F9A4; Mon, 1 Apr 2019 00:02:26 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 3D91E20F99; Sun, 31 Mar 2019 19:22:48 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Wiktor Kwapisiewicz <wiktor=40metacode.biz@dmarc.ietf.org>, Werner Koch <wk@gnupg.org>
Cc: openpgp@ietf.org
In-Reply-To: <02531d3b-c743-6c34-f93b-0bd7a087aa5c@metacode.biz>
References: <02531d3b-c743-6c34-f93b-0bd7a087aa5c@metacode.biz>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw==
Date: Sun, 31 Mar 2019 19:22:47 -0400
Message-ID: <87y34uaat4.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/BPceYKy48D1jMN02VuQgXgZPiQo>
Subject: Re: [openpgp] Web Key Directory and CORS
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2019 04:02:31 -0000
On Mon 2019-03-25 22:08:30 +0100, Wiktor Kwapisiewicz wrote: > And the wording may be something like: "It is RECOMMENDED that the key > is returned with 'Access-Control-Allow-Origin' HTTP header set to value > '*'". I think this is potentially dangerous if it is done on the main domain (e.g. at "example.net", instead of the "advanced" form at "openpgpkey.example.net"), because the main domain for any given site might have resources where this CORS header would be inappropriate. Assuming that the "advanced" domain "openpgp.example.net" is used, and the document tree published there is limited to WKD, then i agree that such a CORS statement seems safe, though. I don't know CORS well enough to know how to properly constrain such a header, but if we do add guidance, i'd want to make sure it is narrowly scoped so that an administrator deploying WKD doesn't accidentally open up the rest of the site's data to external cross-origin requests. --dkg
- [openpgp] Web Key Directory and CORS Wiktor Kwapisiewicz
- Re: [openpgp] Web Key Directory and CORS Bart Butler
- Re: [openpgp] Web Key Directory and CORS Daniel Kahn Gillmor
- Re: [openpgp] Web Key Directory and CORS Wiktor Kwapisiewicz
- Re: [openpgp] Web Key Directory and CORS Daniel Kahn Gillmor
- Re: [openpgp] Web Key Directory and CORS Wiktor Kwapisiewicz