German ct magazine postulates death of pgp encryption

Chuck Peters cp at axs.org
Mon Mar 2 04:50:52 CET 2015


Kristian Fiskerstrand said:
> >> 
> >> You wouldn't need the keyservers to be involved in this at all. 
> >> Anyone could set up such a mail verification CA outside of the 
> >> keyserver network.

How about storing keys in a more distributed manner, DNS, in addition to some other method of authentication, DNSSEC and DANE?

Paul Wouters and others are working on it:

Using DANE to Associate OpenPGP public keys with email addresses
https://tools.ietf.org/html/draft-wouters-dane-openpgp-02

Paul recently gave a presentation about it at an ICANN meeting:
Slides
http://singapore52.icann.org/en/schedule/mon-tech/presentation-new-dnssec-technologies-09feb15-en.pdf
Video, via Adobe Connect starts about 4:49:00 and goes to about 5:08:00:
https://icann.adobeconnect.com/p2j5gtoni79/?launcher=false&fcsContent=true&pbMode=normal
Audio:
http://audio.icann.org/meetings/singapore2015/tech-09feb15-en.mp3

Slide 1 of the presentation shows, not including the title slide, how you can obtain Paul's key with dig and slide 2 shows the easier method using hash-slinger:
openpgpkey --fetch email_address

Slide 5 shows how to create the DNS record:
openpgpkey --create email_address --output rfc

Slide 9 Paul talks about openpgpkey-milter which is a postfix and sendmail plugin to auto-encrypt email. Note it is not recommended for production use yet.


And to make mail servers less NSA friendly we should be setting up DANE and requiring starttls with forward secrecy anyway!  It's on my TODO list!


Chuck




More information about the Gnupg-users mailing list