pka-lookups and dnssec

gnupg at gnupg at
Mon Dec 5 15:30:05 CET 2011

On 05/12/11 13:15, Werner Koch wrote:

>> verification, but if you don't have the key already, it doesn't know the
>> UID associated with the key used to sign and therefore can't do the PKA
>> lookup... Is there some additional command line option that I should be
> Well, PKA requires additional information in the signature:
>   To send this mail, Alice will first sign it using her private key.
>   That signature features one extra signed information for use by PKA:
>   The mail address from the ``From:'' line.  The user IDs and mail
>   address as included in the key are not sufficient because it is
>   common to have several mail addresses in a key which might even not
>   match the address as used in the ``From:'' line.
>   Using so-called notation data (OpenPGP) or signed attributes (X.509)
>   this address gets signed along with the actual text of the message.
>   When using OpenPGP the notation for our example would be:
>   \begin{verbatim}
>     pka-address at at
>   \end{verbatim}
>   ``pka-address at'' is the key to identify this as PKA notation
>   data. 
> With gpg you would use this option:
>   --sig-notation "pka-address at at" 

I tried signing something like this: (minus ".NOSPAM")

gpg --sig-notation
"pka-address at at" --clearsign

I then tried verifying the output from the above command, by piping it
into this, using a gpg homedir that didn't contain my key:

gpg --verify-options pka-lookups --verify

The result:

gpg: Signature made Mon 05 Dec 2011 14:25:17 GMT using RSA key ID C1D1E704
gpg: Can't check signature: No public key

Where have I gone wrong?

> With GPGME you use the gpgme_sig_notation_add to set such a notation.
>> Also. Would it be useful to add a feature to GnuPG so it displays the
>> fact that a PKA record it retrieved was DNSSEC signed, when true? Just
>> for informational purposes. It strikes me as useful information to have...
> It does this:
> 	      log_info (_("automatically retrieved `%s' via %s\n"),
> 			name, mechanism);

Yes, it displays that the key was retrieved using PKA. It doesn't
however state that the PKA record was DNSSEC signed. Knowing that the
fingerprint retrieved from the DNS was signed with DNSSEC is worthy of
being announced IMHO...


Mike Cardwell
Professional   0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20111205/1f857f90/attachment.pgp>

More information about the Gnupg-users mailing list