Questions re auto-key-locate
raf
gnupg at raf.org
Wed Feb 16 08:03:20 CET 2022
On Tue, Feb 15, 2022 at 12:32:50PM -0800, "Dan Mahoney (Gushi) via Gnupg-users" <gnupg-users at gnupg.org> wrote:
> Hey all,
>
> A long time ago I wrote a doc on a blog about putting PGP keys in the DNS,
> which has been linked to quite a bit. I also recoded make-dns-cert as a
> shell script so that people who want to do this but don't have access to the
> make-dns-cert tool (which is not built by default on some OS packages) had
> an option to do this.
>
> At the day job, we have a script that we use to push gpg-signed releases to
> our FTP server, and as part of that job, it verifies the signatures on the
> tarball, and will try to auto-key-locate those keys if it can't find them.
>
> Since the debacle a few years ago with the SKS keyserver denial-of-service
> attack, the keyservers are kind of a non-starter. And because GPG searches
> for keys on a tarball by keyid, not by user at domain, a keyserver is the only
> real retrieval method available to look up a key by keyid, which is now a
> non-starter.
>
> Worse still, if you know a key exists via something like DANE (dayjob makes
> DNS software, we like the idea of it being available via DANE), there's no
> way to do gpg --search via DANE, only via a keyserver.
>
> Thus, using that as a prefetch method to grab the current version of our
> codesign@ key into our keyring is not helpful either, unless we "faked it"
> by attempting to encrypt a message to that address, then discarded it.
>
> Is there another way forward? The normal things for auto-key-locate don't
> seem to help here. I'm open to ideas.
>
> -Dan
>
> (PS: on gnupg.org, the documentation for auto-key-locate dane says "Locate a
> key using DANE, as specified in draft-ietf-dane-openpgpkey-05.txt." It
> should probably say RFC7929 rather than referring to an I-D.)
>
> --
>
> --------Dan Mahoney--------
> Techie, Sysadmin, WebGeek
> Gushi on efnet/undernet IRC
> FB: fb.com/DanielMahoneyIV
> LI: linkedin.com/in/gushi
> Site: http://www.gushi.org
> ---------------------------
Hi,
Recently, I asked for dane to be added to --auto-key-retrieve
when dane was in the auto-key-locate list (https://dev.gnupg.org/T5586),
but the outcome was: "Wontfix: DANE has been an experimental thing
and is imho dead".
I think that experiment might have taken place at a time when DNSSEC
was too much effort to implement. That's not longer the case, so maybe
the experiment should be allowed to continue.
But maybe it is dead. I don't really need it. My only interest was that
I'd written software that manages dane records (including openpgpkey),
but I don't know if anyone else is using that feature. Probably not.
cheers,
raf
More information about the Gnupg-users
mailing list