pka-lookups and dnssec

Werner Koch wk at
Mon Dec 5 14:15:07 CET 2011

On Mon,  5 Dec 2011 13:26, gnupg at said:

> verification, but if you don't have the key already, it doesn't know the
> UID associated with the key used to sign and therefore can't do the PKA
> lookup... Is there some additional command line option that I should be

Well, PKA requires additional information in the signature:

  To send this mail, Alice will first sign it using her private key.
  That signature features one extra signed information for use by PKA:
  The mail address from the ``From:'' line.  The user IDs and mail
  address as included in the key are not sufficient because it is
  common to have several mail addresses in a key which might even not
  match the address as used in the ``From:'' line.
  Using so-called notation data (OpenPGP) or signed attributes (X.509)
  this address gets signed along with the actual text of the message.
  When using OpenPGP the notation for our example would be:
    pka-address at at
  ``pka-address at'' is the key to identify this as PKA notation

With gpg you would use this option:
  --sig-notation "pka-address at at" 

With GPGME you use the gpgme_sig_notation_add to set such a notation.

> Also. Would it be useful to add a feature to GnuPG so it displays the
> fact that a PKA record it retrieved was DNSSEC signed, when true? Just
> for informational purposes. It strikes me as useful information to have...

It does this:

	      log_info (_("automatically retrieved `%s' via %s\n"),
			name, mechanism);

You may want to use something like


to define the order in which lookups are done.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list