PKA updates

Werner Koch wk at
Wed Mar 11 14:51:42 CET 2015

On Sat, 28 Feb 2015 05:08, dkg at said:

> I'm not sure that a new record type is much of a problem.  Most DNS

It needs to be standardized and I do not see a reason for this given
that we already have CERT record with all kind of options.

And GnuPG has support for CERT records for for ages.

>>  [ - Why using SHA224 for hashing if this is just for maiing the
>>      local-part. ]
> i'm not sure what the issue is here.  can you explain further?  My

Why the longer SHA224 if SHA1 is sufficient?  I guess that is due to a
false interpretation of the IETF rule that SHA-1 shall not be used in
new crypto protocols - this is not an issue here.

>> That was my original idea behind PKA.  I don't think that is anymore
>> justified.  However, if you trust DNSSEC gpg can already be tweaked to
>> that that in account by using "--verify-options pka-trust-increase" etc.
> Can you explain more why you no longer think that using dnssec as a
> corroborative channel is justified?  I'm personally wary of the

It is of course up to you and if we can work a metric on how to use it
for key validation - along with other methods - that is fine.  I myself
don't think anymore that DNSSEC is a suitable tool against mass

> Well, sending mail in the clear over a STARTTLS submission channel only
> leaks the To: information to the user's sending MTA, while the DNS query
> leaks the same information to every machine along the network path to
> the DNS server.

That is the meta data problem which we can't solve with the currently
deployed networks and standard protocols.  I don't care about this for
now.  First we need to increase the use of encryption and in a second
step, while the TLAs are working on the deployment of new attacks, we
switch to an overlay network.  Increasing the surveillance costs for the
TLAs is what we can do now.  The costs of mass surveillance is an easier
to understand and usable argument on the political level than any
technical or human rights argument.

> But i think you're right that this is something that can be mitigated
> with sensible MUA operation, caching results, etc.

Or switch from DNS to something else.  But DNS is easy right now and
gives us time to work out and deploy other solutions.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list