Automatic e-mail encryption

Mike Cardwell gnupg at lists.grepular.com
Tue Jul 22 10:33:55 CEST 2014 

* on the Mon, Jul 21, 2014 at 06:23:51PM +0200, Peter Lebbing wrote:

> By the way, regarding DANE as an alternative to the CA system: I think a proper
> implementation of authentication through DNS could well be way better than the
> CA system: at least you can only be screwed by people having access to signing
> keys for the root and the TLD, instead of anyone with access to a CA certificate.

I believe Postfix already has support for using DANE and it's on the roadmap
for Exim too. I already have it set up for my own domain "grepular.com":

  mike at flan:~$ dig +short mx grepular.com
  10 mx1.grepular.com.
  20 mx2.grepular.com.
  mike at flan:~$ dig +short tlsa _25._tcp.mx1.grepular.com
  3 0 1 3469CFEC16545C38CCADC72D5E7A11E11254D53AA69E587C135D9874 300FF144
  mike at flan:~$ dig +short tlsa _25._tcp.mx2.grepular.com
  3 0 1 6643FEEA7C7B382BE1D09422FAABEB6B47642BE87178BDD73637B175 CE34370E
  mike at flan:~$ 

My SMTP certs are also signed by a traditional CA at the same time, so
there's two ways of verifying that the certs are correct.

I also have it set up for the website at https://grepular.com/ - If you're
using Firefox, have a DNSSEC capable resolver and are using the addon
from https://www.dnssec-validator.cz/, it will display a nice green icon
in the address bar to show you that DNSSEC is in use, and another to show
you that DANE validated, when visiting https://grepular.com/

Thanks to signed DNS, you can also fetch my PGP key safely and
independently of keyservers:

  gpg --auto-key-locate pka -ear mike.cardwell(NOSPAM)@grepular.com

That command will cause GnuPG to perform the following DNS lookup:

  mike at flan:~$ dig +short TXT mike.cardwell(NOSPAM)._pka.grepular.com
  "v=pka1\;fpr=35BCAF1D3AA21F843DC3B0CF70A5F5120018461F\;uri=http://grepular.com/0018461F.pub.asc"
  mike at flan:~$ 

Then fetches the key from http://grepular.com/0018461F.pub.asc and
validates that the fingerprint matches the one in the DNS response.

Also, all of my email is encrypted at rest thanks to GnuPG. Even the
stuff which was not encrypted when it was sent:

  https://grepular.com/Automatically_Encrypting_all_Incoming_Email
  https://grepular.com/Automatically_Encrypting_all_Incoming_Email_Part_2

-- 
Mike Cardwell  https://grepular.com https://emailprivacytester.com
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3   B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1   BF1B 295C 3C78 3EF1 46B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: Digital signature
URL: </pipermail/attachments/20140722/0f7f2c02/attachment.sig>

More information about the Gnupg-users mailing list