Questions re auto-key-locate

[Dan Mahoney (Gushi)]

Hey all,

A long time ago I wrote a doc on a blog about putting PGP keys in the DNS, 
which has been linked to quite a bit.  I also recoded make-dns-cert as a 
shell script so that people who want to do this but don't have access to 
the make-dns-cert tool (which is not built by default on some OS packages) 
had an option to do this.

At the day job, we have a script that we use to push gpg-signed releases 
to our FTP server, and as part of that job, it verifies the signatures on 
the tarball, and will try to auto-key-locate those keys if it can't find 
them.

Since the debacle a few years ago with the SKS keyserver denial-of-service 
attack, the keyservers are kind of a non-starter.  And because GPG 
searches for keys on a tarball by keyid, not by user at domain, a keyserver 
is the only real retrieval method available to look up a key by keyid, 
which is now a non-starter.

Worse still, if you know a key exists via something like DANE (dayjob 
makes DNS software, we like the idea of it being available via DANE), 
there's no way to do gpg --search via DANE, only via a keyserver.

Thus, using that as a prefetch method to grab the current version of our 
codesign@ key into our keyring is not helpful either, unless we "faked it" 
by attempting to encrypt a message to that address, then discarded it.

Is there another way forward?  The normal things for auto-key-locate don't 
seem to help here.  I'm open to ideas.

-Dan

(PS: on gnupg.org, the documentation for auto-key-locate dane says "Locate 
a key using DANE, as specified in draft-ietf-dane-openpgpkey-05.txt."  It 
should probably say RFC7929 rather than referring to an I-D.)

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
FB:  fb.com/DanielMahoneyIV
LI:   linkedin.com/in/gushi
Site:  http://www.gushi.org
---------------------------