PKA updates
Werner Koch
wk at gnupg.org
Wed Feb 25 17:03:38 CET 2015
Hi!
For about a decade GnuPG features a DNS based key validation system
named PKA. It worked by adding special TEXT records into the DNS and
directing gpg via --auto-key-locate to make use of them. There are
however a couple of problems with that (e.g. the use of TEXT records) so
that it requires a redefintion.
What I implemented in master is:
- The local-part of the mailbox is now hashed and z-base-32 encoded.
This allows the use of characters which are not allowed as a DNS name
The open question is what to do about case insensitivity: The
local-part is case sensitive but in practice nobody makes use of it.
It would also be quite surprising if you the addresses
"joe.doe at example.org" and "Joe.Doe at example.org" would be different
entities. What I have in mind is to downcase all plain ascii
characters before hashing but keeping the other utf-8 characters as
they are. This would help with existing addresses but don't conflict
with too complicated utf-8 rules for downcasing (if they at all
exists).
- The code for the old PKA has been removed.
- The new command --print-pka-records prints records for insertion into
zone files. Before each line an $ORIGIN line is given so that a
simple script can be used to divert the output to thre respective
zone files.
More work is required to use PKA only for initial key retrieval but not
anymore for validating keys - the DNS is just too insecure for it and we
should not rely on DNSSEC for validation either.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-devel
mailing list