Automatic key verification / CERT in DNS / RFC4398
julian at mehnle.net
Tue Apr 4 15:37:35 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Jeroen Massar wrote:
> [GnuPG 1.4.3 / Public Key Association (PKA) / CERT in DNS / RFC 4398]
> Can we start doing automatic key verification for mail !?
> It would be really good if there would now come a draft which will
> propose the standard order of getting a key, when one doesn't have it or
> wants to get it again. This release of GnuPG allows one to already
> specify it. It would be really good if this was standardized and also
> implemented. Especially in combination with a domain policy (which could
> be incorporated in say SPF).
Indeed the SPF project has plans to introduce another revision of the SPF
protocol, now that SPFv1 (v=spf1) will be out as an IETF RFC within the
next few weeks. While v=spf1 only supports IP-address-based authenti-
cation of the envelope sender, the idea has long been for SPF to be much
more than that, i.e. to be a "Sender Policy Framework" allowing domain
owners to specify a wide range of policies, covering non-envelope (RFC
2822) identities and authentication methods like DKIM, PGP, and S/MIME.
The rough timeline could be for that revision to be released sometime in
Q3/2006 to Q1/2007, depending on the feature set chosen (which is still
open to debate).
> Thus, eg I mail from jeroen at unfix.org, one can lookup _policy.unfix.org,
> which will say "mail:PGP:required" or something similar. SMTP
> clients/servers receiving mail signed by me, can then use one, or more,
> of the key retrieval techniques to fetch the key. PKA + Cert become very
> good for this and thus allow automatic verification. When the mail is
> not signed or falsely signed, one can discard the message based on the
> This all though leads to a concern on the placing of the CERTS. Having a
> large user base would mean that one has say 600k records or more in the
> main zone for a domain, which gets reloaded every now and then when one
> needs to update it. It would IMHO be better to be able to off load those
> records to say _cert.example.org. [...]
While for v=spf1 mostly TXT RRs are used in practice, SPF has been assigned
a dedicated "SPF" RR type (code 99), which is already being used (queried)
by a few implementations. Also, SPF's macro feature would be useful for
specifying custom DNS zone layouts for where to search for key records.
(Are there ones besides CERT/RFC2538/RFC4398?)
What do folks -- especially the gnupg-devel ones -- think about using SPF
for that purpose? Are there any non-obvious fundamental issues that need
to be taken into account?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v126.96.36.199 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Gnupg-devel