PKA updates

Arturo 'Buanzo' Busleiman buanzo at buanzo.com.ar
Wed Feb 25 20:49:16 CET 2015


Hello Werner,

Thank you for this.

Could you elaborate on your DNSSEC comments?

Sincerely,
Buanzo.


On Wed, Feb 25, 2015 at 1:03 PM, Werner Koch <wk at gnupg.org> wrote:

> Hi!
>
> For about a decade GnuPG features a DNS based key validation system
> named PKA.  It worked by adding special TEXT records into the DNS and
> directing gpg via --auto-key-locate to make use of them.  There are
> however a couple of problems with that (e.g. the use of TEXT records) so
> that it requires a redefintion.
>
> What I implemented in master is:
>
>  - The local-part of the mailbox is now hashed and z-base-32 encoded.
>    This allows the use of characters which are not allowed as a DNS name
>
>    The open question is what to do about case insensitivity: The
>    local-part is case sensitive but in practice nobody makes use of it.
>    It would also be quite surprising if you the addresses
>    "joe.doe at example.org" and "Joe.Doe at example.org" would be different
>    entities.  What I have in mind is to downcase all plain ascii
>    characters before hashing but keeping the other utf-8 characters as
>    they are.  This would help with existing addresses but don't conflict
>    with too complicated utf-8 rules for downcasing (if they at all
>    exists).
>
>  - The code for the old PKA has been removed.
>
>  - The new command --print-pka-records prints records for insertion into
>    zone files.  Before each line an $ORIGIN line is given so that a
>    simple script can be used to divert the output to thre respective
>    zone files.
>
> More work is required to use PKA only for initial key retrieval but not
> anymore for validating keys - the DNS is just too insecure for it and we
> should not rely on DNSSEC for validation either.
>
>
> Salam-Shalom,
>
>    Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>
>
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150225/dbbb4561/attachment-0001.html>


More information about the Gnupg-devel mailing list