OpenPGP data in the CERT RR

Simon Josefsson jas at extundo.com
Tue Aug 6 03:06:01 CEST 2002


David Shaw <dshaw at jabberwocky.com> writes:

> On Mon, Aug 05, 2002 at 05:46:40PM +0200, Simon Josefsson wrote:
>
>> 2.1 OpenPGP Key ID Based RR Owner Name
>> 
>>    The Key ID owner name format is usually used in a situation where a
>>    party is serving keys on behalf of someone else.  This is usually a
>>    big server containing lots of keys, used by many clients.  The owner
>>    name should be the 4 byte OpenPGP Key ID prepended with "0x" (sans
>>    quotes) appended to the system's zone.  An example:
>> 
>>     0x789ABCDE.dnskeys.example.org. IN CERT PGP 0 0 <OpenPGP binary>
>
> Are you sure this is a good idea?  4 byte key IDs can collide fairly
> easily, especially with v3 keys.  

I thought a little about that, even considered generating alot of keys
until I got a KeyID of 0xDEADBEEF... :-)

> I think that this should be the key fingerprint, and then you can
> CNAME as many other names to this one canonical name as you like:
>
> 0x7D92FD313AB6F3734CC59CA1DB698D7199242560.dnskeys.example.org.  IN CERT PGP 0 0 <OpenPGP binary>
>
> email address:
>
> dshaw.jabberwocky.com.  IN CNAME  0x7D92FD313AB6F3734CC59CA1DB698D7199242560.dnskeys.example.org.
>
> 4 byte keyid:
> 0x99242560.whatever.com. IN CNAME 0x7D92FD313AB6F3734CC59CA1DB698D7199242560.dnskeys.example.org.
>
> 8 byte keyid:
> 0x1DB698D7199242560.whatever.com. IN CNAME 0x7D92FD313AB6F3734CC59CA1DB698D7199242560.dnskeys.example.org.
>
> etc.
>
> This should work for either self-published or keyserver sort of
> access.

Yup.  Are there cases (worth writing specifications for) where you
only have a 4 or 8 byte key id?  I would prefer to not add even more
flexibility in the owner name guidelines if possible, as flexibility
might mean wasted round trips querying for stuff that isn't there.
Thanks for your comments.





More information about the Gnupg-devel mailing list