A lot of questions about CERT, PKA and make-dns-cert
Dan Mahoney, System Admin
danm at prime.gushi.org
Fri Oct 16 03:37:08 CEST 2009
I'm in the process of writing a blog entry about the PKA and CERT methods.
A couple people have written them a long time ago, and I'd like to bring
some of the info up to date. (If this is better asked on gnupg-dev, let me know).
1) Currently the only tool that can generate a CERT record, make-dns-cert,
is not built or packaged by default under any os I've found (I've tried
FreeBSD and ubuntu). It has no documentation, no examples, and only a
terse 4-line usage summary. I've also seen a few bugs reported with it,
that I don't know if they're fixed, such as not handling whitespace in the
key fingerprint properly.
2) I realize this is a fringe feature, but other than a few scattered blog
posts that reference each other, some of which are written by gnupg
developers, info on these methods is HARD TO FIND. There's nothing in the
docs/faq about this, at all. I think adoption would be much more
widespread if this were a faq-able item. It's mentioned once in the
manpage, once in the default gnupg.conf, and that's really it. If you
document it, people will use it (and with thawte dropping personal
freemail certs lately, this is something you want).
3) As far as I know, PKA isn't standardized in any RFC. Has this been
changed? I saw mention of applying to IANA for its own typecode. Is
there a list somewhere of what uri types are supported? I saw talk of it
not supporting http 1.1, but that may be fixed with curl.
Of the two methods, I tend to actually prefer PKA because it lets me
delegate _pka.example.com to its own sub-zone, whereas CERT records must
be inserted into the main zone.
4) Try though I might, I can't seem to get my full-key in CERT format to
recognize. I am not sure if this is because my key is "complicated" (i.e.
it has subkeys), because the cert is not under my primary uid, or because
I just plain exported it wrong.
echo foo | gpg -v -v --auto-key-locate cert --recipient gushi at gushi.org
And get gpg: error retrieving `gushi at gushi.org' via DNS CERT: No fingerprint
I exported my key with:
gpg --export --export-options minimal > file; and make-dns-cert -n
gushi.gushi.org -f file
It's still live if anyone wants to try.
5) Finally, the quality of records being generated, while consistent with
rfc3597, leaves them as a real bear to manage, and import. If you're
going to export them in hex, could we please also get whitespace so we can
get this into an editor easily? Ideally, the things would just be base64
encoded, in accordance with rfc4398.
Most versions of bind9 understand the CERT record, with base64
representation, and numeric typecodes. bind9.6 understands the PGP type
value mnemonic but not IPGP. BIND 9.7 understands IPGP.
What would be really, really cool, is step by step instructions for
exporting, or hell, let gpg generate these records, the way ssh-keygen
generates SSHFP records.
Those are my thoughts.
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
More information about the Gnupg-users