Arturo 'Buanzo' Busleiman
buanzo at buanzo.com.ar
Wed Feb 25 20:49:16 CET 2015
Thank you for this.
Could you elaborate on your DNSSEC comments?
On Wed, Feb 25, 2015 at 1:03 PM, Werner Koch <wk at gnupg.org> wrote:
> For about a decade GnuPG features a DNS based key validation system
> named PKA. It worked by adding special TEXT records into the DNS and
> directing gpg via --auto-key-locate to make use of them. There are
> however a couple of problems with that (e.g. the use of TEXT records) so
> that it requires a redefintion.
> What I implemented in master is:
> - The local-part of the mailbox is now hashed and z-base-32 encoded.
> This allows the use of characters which are not allowed as a DNS name
> The open question is what to do about case insensitivity: The
> local-part is case sensitive but in practice nobody makes use of it.
> It would also be quite surprising if you the addresses
> "joe.doe at example.org" and "Joe.Doe at example.org" would be different
> entities. What I have in mind is to downcase all plain ascii
> characters before hashing but keeping the other utf-8 characters as
> they are. This would help with existing addresses but don't conflict
> with too complicated utf-8 rules for downcasing (if they at all
> - The code for the old PKA has been removed.
> - The new command --print-pka-records prints records for insertion into
> zone files. Before each line an $ORIGIN line is given so that a
> simple script can be used to divert the output to thre respective
> zone files.
> More work is required to use PKA only for initial key retrieval but not
> anymore for validating keys - the DNS is just too insecure for it and we
> should not rely on DNSSEC for validation either.
> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnupg-devel