looking up pgp keys
Tim Prepscius
timprepscius at gmail.com
Tue Sep 10 02:40:42 CEST 2013
Thank you very much for this feed back.
I'm thinking, thinking, thinking...
Here is sort of a naive question:
Why aren't the results from the http://pgp.mit.edu:11371 signed with their key?
They have an http request but there is no way I can tell if I've been mitm-ed.
I should be able to ask each server I request from, the public key of
the other servers, and then check the signature of each against each
other
??
Is this implemented and I'm missing it somehow?
-tim
On 9/9/13, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> On 09/09/2013 02:12 AM, Phil Pennock wrote:
>
>> Note that most recipient mail-servers will not also run PGP keyservers,
>> If you want that approach to take off, I suggest figuring out a DNS
>> scheme for asking for SRV records _mail-openpgp._tcp.example.org or
>> somesuch. The details don't matter.
>
> If you do something like that, please don't make up your own scheme.
> The current proposed draft for this kind of lookup is from Paul Wouters:
>
> https://tools.ietf.org/html/draft-wouters-dane-openpgp
>
> If you are working on implementing this sort of scheme, and you evaluate
> your threat models sensibly like Phil is suggesting, and you think you
> see a problem with it, or a way it could be improved, you should mention
> it to Paul. i'm sure he would be happy to get feedback from
> implementors for a revised draft if it is necessary.
>
> Regards,
>
> --dkg
>
>
More information about the Gnupg-devel
mailing list