Hi! Let me note that I am currently working on a simplified key validation scheme. The basic idea is to connect a signature to an DNS entry.
Our assumption is that DNS is secure and unforgeable - as of now it is not but eventually DNSSEC will get deployed to solve this and many other problems. Here is how it works: To create a signature on an email (or any other data) you would use: gpg -s [EMAIL PROTECTED]@example.org foo (add other options as you see fit). Now when someone wants to verify the signature he does it using the usual gpg --verify foo.gpg gpg detects that foo.gpg has the notation key [EMAIL PROTECTED] and takes its value ([EMAIL PROTECTED]) to run a DNS query like: $ host -t txt werner._pka.example.org werner._pka.example.org text "v=pka1\;fpr=A4D94E92B0986AB5EE9DC\ D755DE249965B0358A2\;uri=finger:[EMAIL PROTECTED]" Now it compares the fingerprint given in that Text record against the one of the public key used to verify the signature. If they match, it has been proved that the mail address [EMAIL PROTECTED] is a legitimate address in the domain example.org. If not, someone tried to use a faked key. As of now we use the outcome of this test to change the validity status of the key either to FULL or to NEVER (if they don't match). A MUA - or an MTA - may now display the verified address [EMAIL PROTECTED] to the user and compare it to the From address. Will will likely add ptions to gpg to make this easier. As a bonus we also put the URI part into the TXT record to allow the specification of a keyserver or whatever to retrieve the public key. gpg uses this during signature verification as well when collecting the recipients of a message; i.e. if you use "-r [EMAIL PROTECTED]" it would try to locate a PKA record for joe (joe._pka.example.org) and use this for key validation as well as to retrieve the key for joe. If you want to play with this feature, you need to build the latest Subversion of gpg and put keyserver-options auto-pka-retrieve into your gpg.conf. For real PKA records, replace example.org by fsfe.org. If this all works out well, we might want to apply for a dedicated DNS record type instead of using TXT. The scheme may also be used for S/MIME. Shalom-Salam, Werner _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
