How would this work out for people who do not have control over the DNS record of domains? Best examples are free email services like hotmail and gmail?
-SK --- Werner Koch <[EMAIL PROTECTED]> wrote: > Hi! > > Let me note that I am currently working on a > simplified key validation > scheme. The basic idea is to connect a signature to > an DNS entry. > > Our assumption is that DNS is secure and unforgeable > - as of now it is > not but eventually DNSSEC will get deployed to solve > this and many other > problems. > > Here is how it works: > > To create a signature on an email (or any other > data) you would use: > > gpg -s [EMAIL PROTECTED]@example.org > foo > > (add other options as you see fit). Now when someone > wants to verify > the signature he does it using the usual > > gpg --verify foo.gpg > > gpg detects that foo.gpg has the notation key > [EMAIL PROTECTED] > and takes its value ([EMAIL PROTECTED]) to run a > DNS query like: > > $ host -t txt werner._pka.example.org > werner._pka.example.org text > "v=pka1\;fpr=A4D94E92B0986AB5EE9DC\ > D755DE249965B0358A2\;uri=finger:[EMAIL PROTECTED]" > > Now it compares the fingerprint given in that Text > record against the > one of the public key used to verify the signature. > If they match, it > has been proved that the mail address > [EMAIL PROTECTED] is a > legitimate address in the domain example.org. If > not, someone tried > to use a faked key. As of now we use the outcome of > this test to > change the validity status of the key either to FULL > or to NEVER (if > they don't match). > > A MUA - or an MTA - may now display the verified > address > [EMAIL PROTECTED] to the user and compare it to the > From address. > Will will likely add ptions to gpg to make this > easier. > > As a bonus we also put the URI part into the TXT > record to allow the > specification of a keyserver or whatever to retrieve > the public key. > gpg uses this during signature verification as well > when collecting > the recipients of a message; i.e. if you use "-r > [EMAIL PROTECTED]" it > would try to locate a PKA record for joe > (joe._pka.example.org) and > use this for key validation as well as to retrieve > the key for joe. > > If you want to play with this feature, you need to > build the latest > Subversion of gpg and put > > keyserver-options auto-pka-retrieve > > into your gpg.conf. For real PKA records, replace > example.org by > fsfe.org. If this all works out well, we might want > to apply for a > dedicated DNS record type instead of using TXT. The > scheme may also be > used for S/MIME. > > > Shalom-Salam, > > Werner > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
