[openpgp] Fwd: draft-koch-openpgp-webkey-service-21 early Httpdir review
Mark Nottingham <mnot@mnot.net> Wed, 18 February 2026 01:59 UTC
Return-Path: <mnot@mnot.net>
X-Original-To: openpgp@mail2.ietf.org
Delivered-To: openpgp@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 1BBB3B915BEC for <openpgp@mail2.ietf.org>; Tue, 17 Feb 2026 17:59:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b="nhWlKlrW"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="lDpGzcRv"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LfjS_FUF-PiQ for <openpgp@mail2.ietf.org>; Tue, 17 Feb 2026 17:59:02 -0800 (PST)
Received: from fhigh-b3-smtp.messagingengine.com (fhigh-b3-smtp.messagingengine.com [202.12.124.154]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 1B9A4B915BE5 for <openpgp@ietf.org>; Tue, 17 Feb 2026 17:59:02 -0800 (PST)
Received: from phl-compute-06.internal (phl-compute-06.internal [10.202.2.46]) by mailfhigh.stl.internal (Postfix) with ESMTP id 7A2E87A00C0 for <openpgp@ietf.org>; Tue, 17 Feb 2026 20:58:55 -0500 (EST)
Received: from phl-frontend-03 ([10.202.2.162]) by phl-compute-06.internal (MEProxy); Tue, 17 Feb 2026 20:58:55 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=cc :content-type:content-type:date:date:from:from:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to; s=fm1; t=1771379935; x=1771466335; bh=MJ5M51nUp41ZknosOpZOV 3WzODRsXmw7RxzHefjOJWw=; b=nhWlKlrWT7nFI38VB7gVd9ZuDTmCPkdQ313it 6KM3uC/c2L3uvohNKynHA0ZdUJubXBMW/v7Jl2SXun2IrX9fpMzS0mkVtLAGI42l 9xIDyMkdpY1hxINpYq7e5NFvMpHco3glhvWq7VMCFv5z8yCFBDVumkZVKnaiaSFh RbHNwD3PkUk/2t9pEITsxCc2N6zPvaiyqiaRXcYB1vFpLQm/8MS7idqL+z8u9LfG MPWmOvhUHevfy3AalKFaLAqSEBjfuf1Njen1YmN8OcbvDZTA5t9N167Wlb2WOCXd D8GUoW9UeHwO5Dj9KioZaU2WPSImZP1gQa5lBSumgpuQeax4Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:message-id :mime-version:references:reply-to:subject:subject:to:to :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1771379935; x=1771466335; bh=MJ5M51nUp41ZknosOpZOV3WzODRsXmw7Rxz HefjOJWw=; b=lDpGzcRvud476HP4cFdjY5Bjz7bHybT40z5A/Fjw7JPJsAfJc/k P0qStSRJOPwasLad29M/woSCtv0S8BfVQk6592YDkNDGZdj6BUHKpVLb04Wi9DR3 vMEnSa5vD05Lh0ieHnzH8eNrYspv27bpA2KsnLtODOVOU8XIwDsX3IcwPJHNinHt RUJk1CyYij9WhFE9O1A9f+PbketJaU+D5ZztT5augVYni55uRpAIBskwKImx8waH zSku9DDA3UBHQIHREA9D4BNk8NfPnQVRN4/NjJ11BDO47ODOi5NQsGvuMsET/LRi jW5I3nn4i7vp4Ww+6z/ZUe5aq0b8pbm0I4A==
X-ME-Sender: <xms:3xyVaWrk5n2HLdzil88oMEfVSfDubnwRZwFegdmspq1HKM2fLOKj_Q> <xme:3xyVaagO3PwU5f95v6pAbhp8b3Y19Bow5Yw6wKQ2O7eqfOTs1UHQOQuSaojXR0NUY QwY8n7kBk1wEaydnZaOyGLymvDeZNecRPnGH83Zjdq2NhekQIk2vw>
X-ME-Received: <xmr:3xyVaWT6bZrai-VvZTTX3ARWo7lB1kj2u1vfE76-xW8XHfvC3gBDAvUdCJJieMp8dLzekYWOyDLT9uFv4g3TVQmozKAV4Iw2x4tHvUFHQ38vFtUafbRcKw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgddvvddufeekucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucenucfjughrpefhtggguffkfhfvfffosegrtdhmrehhtd ejnecuhfhrohhmpeforghrkhcupfhothhtihhnghhhrghmuceomhhnohhtsehmnhhothdr nhgvtheqnecuggftrfgrthhtvghrnhepheeljeeileefgfehuefgieeghedtffeluddvje evleffteeiheelgeejgeeiveetnecuffhomhgrihhnpeiffedrohhrghdpihgvthhfrdho rhhgpdgvgigrmhhplhgvrdhorhhgpdhmnhhothdrnhgvthenucevlhhushhtvghrufhiii gvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmnhhothesmhhnohhtrdhnvghtpdhn sggprhgtphhtthhopedupdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehophgvnh hpghhpsehivghtfhdrohhrgh
X-ME-Proxy: <xmx:3xyVaSuJmcKp7bUlfPbgar3ymrB520BaKDxGo_DQ2rGjSGMyF64ROA> <xmx:3xyVaZd0YgaDsmPWowxBAXVIDedoh_SaZcO-BISQGxjwyme7GI26wQ> <xmx:3xyVaXLPVALFSGruj-w9wVedRDR5VdhjwXJM3MsdF0wYQRQWtgDbQg> <xmx:3xyVafa0uep9rprmrvH6T5QA3jNJvXbHr8bBLpXc4tsPni2scjlgiA> <xmx:3xyVaSS3neEZU064-ZvWOjtqGR2fNVUxmJ28SIhSKOpRxNrVUxpZAdCm>
Feedback-ID: ie6694242:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for <openpgp@ietf.org>; Tue, 17 Feb 2026 20:58:54 -0500 (EST)
From: Mark Nottingham <mnot@mnot.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1F648E59-E09B-4D0D-8E1C-27CAE249FDC3"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.400.21\))
Message-Id: <01A4115E-122E-4337-8DC4-EB09D9C31E01@mnot.net>
References: <177137931513.1151378.16577022032103443499@dt-datatracker-6ff7c68975-7k42g>
To: openpgp@ietf.org
Date: Wed, 18 Feb 2026 12:58:50 +1100
X-Mailer: Apple Mail (2.3864.400.21)
Message-ID-Hash: 5NYQIU6GSL5EV47GTH2TXVF4FRFO3ZK3
X-Message-ID-Hash: 5NYQIU6GSL5EV47GTH2TXVF4FRFO3ZK3
X-MailFrom: mnot@mnot.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Fwd: draft-koch-openpgp-webkey-service-21 early Httpdir review
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/pRyxk_f3RLbTN3vtXvGb6-rD3cw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
Hello OpenPGP folks, As HTTP Directorate chair, I asked for an early review of this document because I saw that this group was chartered to work on it, and because it seems to be getting deployment in the wild. Please see below. Cheers, > Begin forwarded message: > > From: Martin Thomson via Datatracker <noreply@ietf.org> > Subject: draft-koch-openpgp-webkey-service-21 early Httpdir review > Date: 18 February 2026 at 12:48:35 pm AEDT > To: <ietf-http-wg@w3.org> > Cc: draft-koch-openpgp-webkey-service.all@ietf.org > Resent-From: ietf-http-wg@w3.org > Reply-To: Martin Thomson <mt@lowentropy.net> > Archived-At: <https://www.w3.org/mid/177137931513.1151378.16577022032103443499@dt-datatracker-6ff7c68975-7k42g> > List-Id: <ietf-http-wg.w3.org> > > Document: draft-koch-openpgp-webkey-service > Title: OpenPGP Web Key Directory > Reviewer: Martin Thomson > Review result: Not Ready > > This is a preliminary review only. I'm going to try to limit the feedback to > HTTP matters, though I have not managed to do that. > > This document is three things: > > * A means of accessing a directory of public keys over HTTP > * A predominantly SMTP-based protocol for populating those directories > * Security-relevant, because getting the wrong key will allow the wrong person > to read mail > > This review is aimed at the first, though it covers the small role that HTTP > plays in the second. I have questions about the third, but that's not my focus > here. > > A lot of this review is a specialized repackaging of the content of RFC 9205. > I encourage the authors of this proposal to review that document. > > # The domain label > > The protocol defines a special domain name label. > https://datatracker.ietf.org/doc/html/rfc8820#name-uri-authorities explains why > taking a name out of the namespace controlled by hundreds of millions of domain > owners is unwise. I strongly recommend against this practice. This is more > the case that the "direct" version seems to be a more practical path anyway. > The /.well-known prefix was reserved for exactly this sort of thing. > > BTW, the fact that the domain is not part of the /.well-known path for the > "direct" mode seems backwards to me. A domain that is setup to handle this > protocol exclusively is more likely to be hosting keys for multiple entities; > the current design forces that service to always include "openpgpkey" in its > name. Overall, having the domain in the path always would be more robust. > > # Redundant local part > > It's not clear to me why the local part of the email address is included > multiple times. The role of SHA-1 here is also pretty questionable (more > below). This is something that percent encoding is pretty good at handling. > The half-hearted attempt at canonicalization used here is a constraint on mail > operators (who might want t@ and T@ to go to different inboxes) and > insufficient to capture the range of equivalence practices (like > a.b.c@gmail.com == abc@gmail.com or the common foo+bar@ == foo@). Better to > leave that to servers to manage. > > # Case sensitivity > > Domain name casing is weird. Not in this specification, but more generally. I > suggest that you reconsider the way this works presently. Rather than push the > requirement to handle casing on clients, which makes it an interoperability > hazard, you can have the server handle it. > /.well-known/openpgpkey/example.org/... and > /.well-known/openpgpkey/Example.org/... can map to the same resource on the > server. (Redirects and Content-Location exist to handle this sort of > equivalence.) > > If you really want to tangle with this particular problem, which includes > internationalized domain names, the current design doesn't really hold up well. > You can maybe mandate the use of A-labels, but you need to be careful about > how use of those is specified. > > # Redirects > > This doesn't say anything about redirects. As a practical matter, if you are > using HTTP, you want to note that following redirects is expected. This has > many benefits: > > * An operator can delegate responsibility for running the API to another entity. > * A server can direct requests to equivalent URLs to a single canonical URL. > * You get consistent implementation of this important feature. Otherwise, if > some clients will follow redirects and others don't, you can end up with no > meaningful interoperability. > > # Media types > >> The HTTP GET method MUST return the binary representation of the OpenPGP key > for the given mail address. > > Where is this representation defined? > > I see that the SMTP interactions are careful to define media types so that mail > processing can confidently handle different content. The same courtesy is not > extended to HTTP resources. The specification even recommends the use of > "application/octet-stream" for this. As a general rule, that media type is not > a good idea when defining protocols, where having certainty about formats is > useful for managing version migration. > > This applies to the published keys and the resources at > $WELLKNOWN/submission-address $WELLKNOWN/policy equally. > > # Policy flags > > This format seems under-specified. Note that while I consider RFC 9309 > insufficiently specified, it is far better defined than this. > > # Security > > And because I can't help myself: > > * This protocol does a proof of possession for the key. It's not clear that > this is a necessary function. It also appears to do a routeability check for > the address being claimed, which I believe is necessary. Is there a security > analysis, akin to those done for the ACME protocol, that confirms that this > protocol is not vulnerable to the panoply of attacks that such protocols tend > to be vulnerable to? ACME had some serious problems with its design, which > demonstrates the value of such analysis. > > * I don't see any effort made to ensure that the operator of the HTTP server is > authorized to operate as an authority for information about the mail > infrastructure. Other efforts in this domain use DNS records for this purpose. > I realize that the problem statement said that this can be effectively "too > hard", but I don't find that persuasive. > > * SHA-1 appears to play a significant role here. Given that it has been shown > to have collision attacks and this protocol (as specified) would appear to > depend on collision resistance, that seems like a genuine problem. If I > request keys for an address with a collision, how can I be sure that I'm > getting the keys I intended? (Above, I suggested that hashing might not even > be needed; please consider that.) > > * The other reason to use a hash function might be to discourage enumeration of > addresses. (To be clear, it's not a particularly /good/ protection given the > low entropy of local parts.) What measures, if any, can be put in place to > protect the privacy of addresses from crawling and scraping? > > * I'm not sure that you should talk about failures in previous versions of a > document like this: "The use of DNS SRV records as specified in former > revisions of this document reduces the certainty that a mail address belongs to > a domain." Besides, the opposite might be true, depending on the answer to the > authority question I ask above. > > # Nits > > What is "hu"? > > I see a few places where references are in the form "as specified below". > Please add section references instead. > > > -- Mark Nottingham https://www.mnot.net/
- [openpgp] Fwd: draft-koch-openpgp-webkey-service-… Mark Nottingham