Using the "preferred keyserver URL" in GnuPG 1.4
dshaw at jabberwocky.com
Tue Dec 21 23:17:04 CET 2004
On Tue, Dec 21, 2004 at 10:27:59PM +0100, Simon Josefsson wrote:
> David Shaw <dshaw at jabberwocky.com> writes:
> >> But writing a gpgkeys_dns.c using res_query should not be difficult.
> >> Would you accept it if I wrote it? Could be a fun Christmas
> >> project...
> > If it is okay with Werner, it is ok with me. The only thing is that
> > we need a copyright assignment to the FSF. Keep in mind that you're
> > committing yourself to maintain it on different platforms :) :)
> I think the main concern is that res_query is non-standard, but when
> it is not available, disabling gpgkeys_dns seem like a simple
> solution. Fortunately there seem to already be code in gpg that have
> the same issue, so much can be reused.
Yes, the SRV code uses res_query. If you use HAVE_DNS_SRV to detect
whether res_query is available and link with @SRVLIBS@ then you can
safely use res_query anywhere. If HAVE_DNS_SRV is set, you can rely
on res_query(), dn_expand(), and dn_skipname().
> >> Can gpg use the keyserver infrastructure for revocation checking?
> > Not currently. Somewhere on the todo list is a change to allow that.
> > It is difficult since there is no way to say "give me this update only
> > if it is revoked" in many keyserver protocols. It is possible in
> > LDAP, and with CERT of course.
> Perhaps gpg could support it for those keyserver protocols were it is
> easy to support that model. Could be a nice test of PGP revocation
> certs using CERT. On the other hand, there are some advantages in
> creating a new DNS type for OpenPGP revocation certs, that is separate
> from CERT. (Query simon.josefsson.org IN CERT to see why... The PKIX
> certificate would still overflow the UDP limit.) However,
> implementing the idea in gpg might be a first step in dispersing
> knowledge about the idea...
I'll make you a deal - if you write the DNS handler to properly handle
a flag passed from gpg to do a revocation-only search, I'll write the
code in gpg to pass that flag when appropriate. Since a
revocation-only check can also be fulfilled (though slower) by a
regular check, this would be nicely backwards compatible.
More information about the Gnupg-users