Werner Koch wk at gnupg.org
Tue Jul 29 08:18:21 CEST 2014

On Mon, 28 Jul 2014 17:24, enigmail at josuttis.de said:
> Are you or is someone working on DANE support for GnuPG?
> Any schedule?

We have kind of this for years.  There is the original PKA thing which
is older than DKIM and there is the flexible kDNS method to locate keys
in the DNS.

I am not aware of the latest OpenPGP version of DANE but we discussed
this here some time ago.  What I do not understand is why SHA-224 is
used to map the mail address.  This sounds pretty overkill, in
particular with OpenPGP which uses SHA-1 a lot.  SHA-1 is good enough
for such kind of mappings and the resulting name is shorter.

BTW, with DANE we introduce a hierarchical trust model into the
decentralized OpenPGP system.  It is probably good for a first time
contact and to seed a trust on first use database (TOFU [1]) but I doubt
that the DNSSEC part is that important.  Yes, I am in favor of DNSSEC
but it is not the silver bullet to solve the problem of man in the
middle attacks.



[1] "Trust On First Use" or related to your
     quoting style "Text Oben Full-Quote Unten" ;-)

Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list