PKA updates
Arturo 'Buanzo' Busleiman
buanzo at buanzo.com.ar
Wed Feb 25 20:49:16 CET 2015
Hello Werner,
Thank you for this.
Could you elaborate on your DNSSEC comments?
Sincerely,
Buanzo.
On Wed, Feb 25, 2015 at 1:03 PM, Werner Koch <wk at gnupg.org> wrote:
> Hi!
>
> For about a decade GnuPG features a DNS based key validation system
> named PKA. It worked by adding special TEXT records into the DNS and
> directing gpg via --auto-key-locate to make use of them. There are
> however a couple of problems with that (e.g. the use of TEXT records) so
> that it requires a redefintion.
>
> What I implemented in master is:
>
> - The local-part of the mailbox is now hashed and z-base-32 encoded.
> This allows the use of characters which are not allowed as a DNS name
>
> The open question is what to do about case insensitivity: The
> local-part is case sensitive but in practice nobody makes use of it.
> It would also be quite surprising if you the addresses
> "joe.doe at example.org" and "Joe.Doe at example.org" would be different
> entities. What I have in mind is to downcase all plain ascii
> characters before hashing but keeping the other utf-8 characters as
> they are. This would help with existing addresses but don't conflict
> with too complicated utf-8 rules for downcasing (if they at all
> exists).
>
> - The code for the old PKA has been removed.
>
> - The new command --print-pka-records prints records for insertion into
> zone files. Before each line an $ORIGIN line is given so that a
> simple script can be used to divert the output to thre respective
> zone files.
>
> More work is required to use PKA only for initial key retrieval but not
> anymore for validating keys - the DNS is just too insecure for it and we
> should not rely on DNSSEC for validation either.
>
>
> Salam-Shalom,
>
> Werner
>
> --
> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
>
>
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150225/dbbb4561/attachment-0001.html>
More information about the Gnupg-devel
mailing list