DNS keyserver (was Re: gnupg-1.0.7: keyserver subdir?)

David Shaw dshaw@jabberwocky.com
Wed Jul 10 00:39:01 2002


On Tue, Jul 09, 2002 at 07:09:16PM +0200, Simon Josefsson wrote:
> Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE> writes:

[ using CERTs for key distribution ]

> One advantage would be that eventually it could be possible to secure
> the link between a domain and user in that domain (consider
> company.com signing its zone containing references to their users
> keys).  Then a fake business card and a fake uploaded key on a
> keyserver isn't enough to mount a man-in-the-middle attack.

Signed answers can be useful for some things, but unfortunately there
is no ready way to translate the zone trust (company signed zone
containing a CERT) to the GnuPG web of trust (signature on the key
that was retrieved).  To properly place the key in the web of trust,
the company would have had to sign the key itself, and once they do
that it doesn't matter if the zone is signed or not.

> > It might work better if you just store minimal revocation certificates
> > (those used by GnuPG) in DNS.
> 
> Yes, that should be done.  If DNS is used for that, I don't see how it
> harms to have DNS as an option for retrieving certificates too.  I'm
> sure lots of people will continue to use HKP for many years anyway.

Yes.  One of the nice things about CERT is that it allows any OpenPGP
certificate - this can be a revocation certificate or the whole key.
(Perhaps a detached signature?)

The performance issue I'm actually concerned about is that the current
keyserver code in GnuPG does a fork/exec for each retrieval.  That is
pretty heavyweight compared to the UDP DNS protocol.  If we are to use
this for a lightweight key revocation check, I will revise the
keyserver code to keep the pipe to the subprocess open for multiple
queries.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson