On Wed, Apr 05, 2006 at 03:18:31PM +0200, Peter Palfrader wrote: > On Wed, 05 Apr 2006, David Shaw wrote: > > > On Wed, Apr 05, 2006 at 12:30:42PM +0200, Peter Palfrader wrote: > > > > > I notice that if I have both, a IPGP and a PGP CERT RR that GnuPG fails > > > to import the key some of the time: > > > > [..] > > > > > } ;; ANSWER SECTION: > > > } peter.palfrader.org. 43200 IN CERT 6 0 0 > > > FFsAyW1dVK7hIGuvhN56r26UwJx/ > > > } peter.palfrader.org. 43200 IN CERT PGP 0 0 > > > mQGiBDgp0YcRBACN9s8EycXRsu9ym3Sjou1N..... > > > > > > Is having them both not supported or is there a bug somewhere? > > > > At the moment, GnuPG will take whichever it sees first (the PGP or the > > IPGP, but not both). So given round robining, if you have both, it > > will seem to flip back and forth between the two. I'm thinking about > > having GPG favor one or the other in these cases (probably PGP since > > if it has already fetched the whole key, it may as well import it > > rather than go to a web page or keyserver somewhere). > > On the other hand the key that is fetched via DNS has serious size > constraints - DNS limits the RDATA to 64k and I think GnuPG further > limits this to 16k. In my case I have significantly stripped down my > key in order to store it in DNS, so maybe going to the keyserver or the > location specified in IPGP might be a good idea.
Certainly the CERT PGP type has size restrictions, but I think that's fine: I don't really see the CERT PGP type as a repository for whole keys with dozens of signatures like on a keyserver. Rather, it's a place to store minimal (via export-minimal) keys. Once this "seed" key is gotten via CERT PGP, it can be fleshed out via a keyserver or preferred keyserver subpacket on the key itself. The GnuPG 16k max-cert-size is changeable, by the way: --keyserver-options max-cert-size=65536 16k was a bit of a guess as to a good value since CERT is so new. Whether to favor CERT PGP or CERT IPGP is one of those things where a reasonable case can be made for either path. It depends on what you're using CERT for: if you were using CERT in a PKA-like scheme, you'd want CERT PGP to get the answer as fast as possible, while if you were using CERT as a automatic key locater you'd probably want CERT IPGP to get all the signatures. > > The reason it is not fetching from the IPGP record you have there is > > there is only a fingerprint, and you must have a --keyserver defined > > for it to fetch the fingerprint from in that case. Do you have a > > --keyserver defined? > > Ah, now that I do it works nicely. Thanks! Maybe gpg should say that > it wants to have a keyserver in this case? Yes, I think it should. Note that you could make your IPGP contain both a fingerprint and a URL - that way you get to specify where the user will fetch your key from (it may not exist in the manner you desire on their particular keyserver). David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
