DNS record for finding a key from an e-mail address

Doug Barton dougb at dougbarton.email
Mon Mar 14 21:38:49 CET 2016


The IETF is currently working on a specification for a DNS record 
(secured by DNSSEC) that will allow users to find a PGP key from an 
e-mail address. I'm interested in feedback on how y'all think that 
should work.

In one version the receiving user would create a truncated version of 
their key, using only the UID that is related to that e-mail address. 
The sending user would retrieve that key, and the mail software would 
rely on it to encrypt the mail to the receiving user. There is also some 
discussion in regards to how or whether the software doing the DNS 
lookup would, or would not, also utilize the sending user's key ring, 
but let's keep it simple for now.

In another version the receiving user would place the full fingerprint 
of their key in the DNS, and the sending user's software would use that 
fingerprint to retrieve the key and compare that retrieved key to the 
user's existing WOT, then inform the user of the results.

Of these alternatives, which do you see as most useful, and why? Or, do 
you imagine a different approach?


More information about the Gnupg-users mailing list