DNS keyserver (was Re: gnupg-1.0.7: keyserver subdir?)

Simon Josefsson jas@extundo.com
Wed Jul 10 13:54:02 2002

David Shaw <dshaw@jabberwocky.com> writes:

> On Tue, Jul 09, 2002 at 07:09:16PM +0200, Simon Josefsson wrote:
>> Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE> writes:
> [ using CERTs for key distribution ]
>> One advantage would be that eventually it could be possible to secure
>> the link between a domain and user in that domain (consider
>> company.com signing its zone containing references to their users
>> keys).  Then a fake business card and a fake uploaded key on a
>> keyserver isn't enough to mount a man-in-the-middle attack.
> Signed answers can be useful for some things, but unfortunately there
> is no ready way to translate the zone trust (company signed zone
> containing a CERT) to the GnuPG web of trust (signature on the key
> that was retrieved).  To properly place the key in the web of trust,
> the company would have had to sign the key itself, and once they do
> that it doesn't matter if the zone is signed or not.

Hence "eventually". :-)

A more immediate use of signed responses would be to protect against
substitution attacks between key servers and users.

> The performance issue I'm actually concerned about is that the current
> keyserver code in GnuPG does a fork/exec for each retrieval.  That is
> pretty heavyweight compared to the UDP DNS protocol.  If we are to use
> this for a lightweight key revocation check, I will revise the
> keyserver code to keep the pipe to the subprocess open for multiple
> queries.

Communicating via a socket might be the way to go.  Btw, if you use
several key servers, are they called asynchronous?  I'd like to add
lots of keyservers and have gpg use the answer from the first one.
Right now it seems that if one of the keyservers are down, gpg stalls.