wk at gnupg.org
Thu Feb 26 09:34:23 CET 2015
On Wed, 25 Feb 2015 21:34, dkg at fifthhorseman.net said:
> https://tools.ietf.org/html/draft-ietf-dane-openpgpkey ? Should we try
> to support this draft?
I looked at this again.
- It requires a new record type
- It merges the first time key retrieval with the validation of the
[ - Why using SHA224 for hashing if this is just for maiing the
> I see DNSSEC as a corroborative channel -- it doesn't need to be
> authoritative for people who don't want it to be, but it could be useful
That was my original idea behind PKA. I don't think that is anymore
justified. However, if you trust DNSSEC gpg can already be tweaked to
that that in account by using "--verify-options pka-trust-increase" etc.
> There are other kinds of security at issue, though: DNS provides a
> pretty nasty leakage channel, since confidential DNS query mechanisms
> are not widely deployed. I'd hope that DNS lookups aren't necessarily
I think this decision should be left to the MUAs. If it is enabled by
default, that would be better than sending mails in the clear. Thus for
a first time non-expert installation enabling such a feature by default
would be the Right Thing.
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-devel