PKA updates

Werner Koch wk at
Wed Feb 25 17:03:38 CET 2015


For about a decade GnuPG features a DNS based key validation system
named PKA.  It worked by adding special TEXT records into the DNS and
directing gpg via --auto-key-locate to make use of them.  There are
however a couple of problems with that (e.g. the use of TEXT records) so
that it requires a redefintion.

What I implemented in master is:

 - The local-part of the mailbox is now hashed and z-base-32 encoded.
   This allows the use of characters which are not allowed as a DNS name

   The open question is what to do about case insensitivity: The
   local-part is case sensitive but in practice nobody makes use of it.
   It would also be quite surprising if you the addresses
   "joe.doe at" and "Joe.Doe at" would be different
   entities.  What I have in mind is to downcase all plain ascii
   characters before hashing but keeping the other utf-8 characters as
   they are.  This would help with existing addresses but don't conflict
   with too complicated utf-8 rules for downcasing (if they at all

 - The code for the old PKA has been removed.

 - The new command --print-pka-records prints records for insertion into
   zone files.  Before each line an $ORIGIN line is given so that a
   simple script can be used to divert the output to thre respective
   zone files.

More work is required to use PKA only for initial key retrieval but not
anymore for validating keys - the DNS is just too insecure for it and we
should not rely on DNSSEC for validation either.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list