Using the "preferred keyserver URL" in GnuPG 1.4

Simon Josefsson jas at extundo.com
Tue Dec 21 22:27:59 CET 2004


David Shaw <dshaw at jabberwocky.com> writes:

>> But writing a gpgkeys_dns.c using res_query should not be difficult.
>> Would you accept it if I wrote it?  Could be a fun Christmas
>> project...
>
> If it is okay with Werner, it is ok with me.  The only thing is that
> we need a copyright assignment to the FSF.  Keep in mind that you're
> committing yourself to maintain it on different platforms :) :)

I think the main concern is that res_query is non-standard, but when
it is not available, disabling gpgkeys_dns seem like a simple
solution.  Fortunately there seem to already be code in gpg that have
the same issue, so much can be reused.

>> Can gpg use the keyserver infrastructure for revocation checking?
>
> Not currently.  Somewhere on the todo list is a change to allow that.
> It is difficult since there is no way to say "give me this update only
> if it is revoked" in many keyserver protocols.  It is possible in
> LDAP, and with CERT of course.

Perhaps gpg could support it for those keyserver protocols were it is
easy to support that model.  Could be a nice test of PGP revocation
certs using CERT.  On the other hand, there are some advantages in
creating a new DNS type for OpenPGP revocation certs, that is separate
from CERT.  (Query simon.josefsson.org IN CERT to see why...  The PKIX
certificate would still overflow the UDP limit.)  However,
implementing the idea in gpg might be a first step in dispersing
knowledge about the idea...

Thanks.




More information about the Gnupg-users mailing list