keyoxide/keyoxide-web
26
329
Fork
You've already forked keyoxide-web
39

Filter OpenPGP Key User IDs by WKD Domain Name Queried. #248

Open
opened 2025年07月22日 16:43:23 +02:00 by j-simonson · 0 comments

Proposal

Only display OpenPGP Key User IDs and associated claims where the email address matches the WKD domain name queried.

Discussion

Depending on the context, User ID should be assumed to be synonymous with User ID email address.

Note this issue is similar to keyoxide/keyoxide-web#81, but differs in its motivation and the scope of User IDs returned.

The suggested design/policy change is to display only User IDs with emails matching the WKD domain name queried. It filters out User IDs that don't match the queried domain. Keyoxide currently displays all User IDs under a OpenPGP Key independent of whether they match the domain or not.

This change is motivated by a desire to limit the User IDs displayed to the end user to those most likely to have been vetted. The assumption is that the WKD will have vetted, in one form or another, the User IDs under their own jurisdiction. And that the WKD is less likely to have vetted email addresses outside their domain. It is expected that this will curb the opporunity for email squatting type attacks and impersonation. As way of example, such attacks includes those that rely on similar spelling of the domain name or the local part of the email address, using say for instance a homoglyph or letter transposition.

This policy change is consistent and inline with recommmended practices set forth in Internet Draft OpenPGP Web Key Directory, Section Security Considerations.

It should be noted that this deviates from the tradition of returning all User IDs of an OpenPGP key. Additionally it is rare to find other clients that uphold the same level of standard. Neither Thunderbird nor Claw Mail, which directly consume and utilize the User ID email addresses, are known to be this rigorous. Neither are WKD checkers known for checking the User IDs returned to ensure that they are consistent with this policy. Keyoxide might in fact be the first client to lead the way in this regard if it were to make this policy change.

Further it interfers with the effectiveness for those that wish to serve their own complete key via their own WKDs. They can no longer count on their entire User ID set being made visible to the end user. Nor does it fully eliminate the squatting and impersonation attacks earlier mentioned. Keyoxide is not currently in the business of providing validity claims on the User IDs themselves, nor would this by itself allow them to do so.

Reference

Further discussion can be found @ #keyoxide:matrix.org.

keyoxide/keyoxide-web#249
keyoxide/keyoxide-web#81
keyoxide/keyoxide-web#81#issuecomment-187173
keyoxide/keyoxide-web#81#issuecomment-5936170
https://gitlab.com/keys.openpgp.org/hagrid/-/issues/180

### Proposal Only display OpenPGP Key User IDs and associated claims where the email address matches the WKD domain name queried. ### Discussion Depending on the context, User ID should be assumed to be synonymous with User ID email address. Note this issue is similar to keyoxide/keyoxide-web#81, but differs in its motivation and the scope of User IDs returned. The suggested design/policy change is to display only User IDs with emails matching the WKD domain name queried. It filters out User IDs that don't match the queried domain. Keyoxide currently displays all User IDs under a OpenPGP Key independent of whether they match the domain or not. This change is motivated by a desire to limit the User IDs displayed to the end user to those most likely to have been vetted. The assumption is that the WKD will have vetted, in one form or another, the User IDs under their own jurisdiction. And that the WKD is less likely to have vetted email addresses outside their domain. It is expected that this will curb the opporunity for email squatting type attacks and impersonation. As way of example, such attacks includes those that rely on similar spelling of the domain name or the local part of the email address, using say for instance a homoglyph or letter transposition. This policy change is consistent and inline with recommmended practices set forth in [Internet Draft OpenPGP Web Key Directory, Section Security Considerations](https://datatracker.ietf.org/doc/html/draft-koch-openpgp-webkey-service#name-security-considerations). It should be noted that this deviates from the tradition of returning all User IDs of an OpenPGP key. Additionally it is rare to find other clients that uphold the same level of standard. Neither Thunderbird nor Claw Mail, which directly consume and utilize the User ID email addresses, are known to be this rigorous. Neither are WKD checkers known for checking the User IDs returned to ensure that they are consistent with this policy. Keyoxide might in fact be the first client to lead the way in this regard if it were to make this policy change. Further it interfers with the effectiveness for those that wish to serve their own complete key via their own WKDs. They can no longer count on their entire User ID set being made visible to the end user. Nor does it fully eliminate the squatting and impersonation attacks earlier mentioned. Keyoxide is not currently in the business of providing validity claims on the User IDs themselves, nor would this by itself allow them to do so. ### Reference Further discussion can be found @ [#keyoxide:matrix.org](https://matrix.to/#/!dEfJkFpQpwvbzcegRX:matrix.org/$vSOh3eNUPbzu3AATvfgusdZ40AYQT8P_eJkUe5GzWMc?via=matrix.org&via=mackenba.ch&via=tchncs.de). ### Related keyoxide/keyoxide-web#249 keyoxide/keyoxide-web#81 [keyoxide/keyoxide-web#81#issuecomment-187173](https://codeberg.org/keyoxide/keyoxide-web/issues/81#issuecomment-187173) [keyoxide/keyoxide-web#81#issuecomment-5936170](https://codeberg.org/keyoxide/keyoxide-web/issues/81#issuecomment-5936170) https://gitlab.com/keys.openpgp.org/hagrid/-/issues/180
j-simonson changed title from (削除) Filter OpenPGP Key User IDs by WKD domainname queried. (削除ここまで) to Filter OpenPGP Key User IDs by WKD domain name queried. 2025年07月22日 16:44:16 +02:00
j-simonson changed title from (削除) Filter OpenPGP Key User IDs by WKD domain name queried. (削除ここまで) to Filter OpenPGP Key User IDs by WKD Domain Name Queried. 2025年07月22日 16:44:48 +02:00
Sign in to join this conversation.
dev
main
dev
redesign-2023
add-logging
5.1.0
5.0.1
5.0.0
5.0.0-rc.1
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.1
4.2.0
4.1.1
4.1.0
4.0.2
4.0.1
4.0.0
3.6.4
3.6.3
3.6.2
3.6.1
3.6.0
3.5.2
3.5.1
3.5.0
3.4.18
3.4.17
3.4.16
3.4.15
3.4.14
3.4.13
3.4.12
3.4.11
3.4.10
3.4.9
3.4.8
3.4.7
3.4.6
3.4.5
3.4.4
3.4.3
3.4.2
3.4.1
3.4.0
3.3.1
3.3.0
3.2.0
3.1.1
3.1.0
3.0.4
3.0.3
3.0.2
3.0.1
3.0.0
2.5.0
2.4.2
2.4.1
2.4.0
2.3.4
2.3.3
2.3.2
2.3.1
2.3.0
2.2.8
2.2.7
2.2.6
2.2.5
2.2.4
2.2.3
2.2.2
2.2.1
2.2.0
2.1.1
2.1.0
2.0.2
2.0.1
2.0.0
2.0.0-rc.3
2.0.0-rc.2
2.0.0-rc.1
1.0.0
0.4.0
0.3.1
0.3.0
0.2.1
0.2.0
0.1.0
Labels
Clear labels
bug
Something is not working

Archived

contribution welcome
Contributions are very welcome, get started here

Archived

enhancement
New feature

Archived

good first issue
Interested in contributing? Get started here.

Archived

Contribution welcome
Get started contributing here
Good first issue
Good if you are new to the project or to open source contributions
Impact
External
Affects the people using the project
Impact
Internal
Affects on the people working on the project
Priority
Critical
Work on right now
Priority
High
Work on at earliest convenience
Priority
Low
Work on in spare time
Priority
Medium
Work on regularly
Review
Duplicate
Already exists
Review
Off Topic
Does not fall within the scope of the repo/project
Status
Backlog
Is not being worked on yet
Status
Blocked
Is waiting on something or someone
Status
Completed
Is done
Status
In Progress
Is being worked on
Status
Investigating
Is waiting on research or questions
Status
Needs Decision
Is waiting on a decision by the devs/contributors
Status
Needs Info
Is waiting on additional information before it can be solved
Status
Needs Triage
Is new issue that needs reviewing
Status
Testing
Is being checked and verified
Status
Waiting For Review
Is waiting on reviewers to approve
Status
Won't Fix
Won't be fixed
Type
Bug
Related to something not working as intended
Type
CI
Related to continuous integration
Type
Documentation
Related to documentation
Type
Enhancement
Related to a new feature or an improved one
Type
New Claim
Related to a new identity claim/proof
Type
Security
Related to security
Type
Tests
Related to code tests
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
keyoxide/keyoxide-web#248
Reference in a new issue
keyoxide/keyoxide-web
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?