PKA updates

Werner Koch wk at
Thu Feb 26 09:34:23 CET 2015

On Wed, 25 Feb 2015 21:34, dkg at said:

> ?  Should we try
> to support this draft?

I looked at this again.

 - It requires a new record type

 - It merges the first time key retrieval with the validation of the

 [ - Why using SHA224 for hashing if this is just for maiing the
     local-part. ]

> I see DNSSEC as a corroborative channel -- it doesn't need to be
> authoritative for people who don't want it to be, but it could be useful

That was my original idea behind PKA.  I don't think that is anymore
justified.  However, if you trust DNSSEC gpg can already be tweaked to
that that in account by using "--verify-options pka-trust-increase" etc.

> There are other kinds of security at issue, though: DNS provides a
> pretty nasty leakage channel, since confidential DNS query mechanisms
> are not widely deployed.  I'd hope that DNS lookups aren't necessarily

I think this decision should be left to the MUAs.  If it is enabled by
default, that would be better than sending mails in the clear.  Thus for
a first time non-expert installation enabling such a feature by default
would be the Right Thing.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list