I have three separate questions, and I apologize in advance for posting to multiple newsgroups and mailservs.
But I was taught two things by some very smart individuals: 1) The only dumb question is an unasked one, and 2) When dealing with serious cryptography, do not guess, ask an actual cryptographer. So I have a few separate but related questions: Is is possible to use OpenPGP in DANE? What do I need to do this? Can I redirect applications that rely specifically on OpenSSL to use NSS or GnuTLS instead somehow? My understanding of external library calls is severely limited, but my understanding is that there's such a thing as DLL/SO injection, which renames the library and then places an imposter library in its place so that calls to that library are intercepted, and either handled by the imposter or transparently forwarded to the real library. This happens all of the time in the PC gaming world, and is a critical tool in cheating on multiplayer games. It is a method to manipulate the game client's internal binary logic. It follows logically that such a technique SHOULD be possible with OpenSSL, NSS and GnuTLS. It may be that there are wrappers or special programs or tools that already do this, but I am unaware of any that work universally. Are calls to OpenSSL standardized in some what? Could a simple symlink work? DANE is a fascinating system, and some applications I am interested in optionally use DANE to verify the authenticity of certificates/keys. Is it possible to use DANE locally to indirectly use GnuTLS or NSS as backend cryptographic libraries? Does PowerDNS or any of the common DANE-supporting nameservers explicitly support cryptographic libraries other than OpenSSL? I made several attempts to divine this knowledge, and was unsucessful. Perhaps my Google-fu is not enough. I fail to grok how I should this. While applications like Pidgin use NSS, which is refreshing, most applications I take an interest in specifically link to OpenSSL, rather than being written as cryptographic library agnostic. As a mere padawan, I do not know what I can do about this. The project I have in mind uses PostFix and INN on a private LAN/VPN to exchange files amongst a group. This group is a set of local neighborhoods connected by explicit links. These links use CJDNS for IP addresss allocation and NameCoin for name allocation. However, NameCoin does not necessarily provide DANE emulation. NameCoin does support arbitrary extensions, because it can use any prefix:key=value binding by "spending" a NameCoin. This should be trivial enough to write with a simple Bash Shell Script. I am competent enough to write Bash Shell Scripts. However, I am too smart to attempt mucking about with cryptographic libraries without consulting a cryptography guru. I realize I could somehow get PowerDNS to serve NameCoin .bit records using the local DNS cache or perhaps a script, but I'm not sure how to inject OpenPGP certs into DANE records. I do know I can bind OpenPGP keys into NameCoin .bit addresses in the same manner as regular DNS records, but I'm not sure if this is cryptographically sound. Thus why I'm asking people who DO know what they are doing. So by manually posting OpenPGP keys along with names into .bit records, then using a PowerDNS authoritative server to serve the .bit records from a local DNS cache (somehow), i could provide DANE records to bind .bit names to CJDNS IPv6 addresses. This would provide a completely decentralized network, both at the IP addressspace and DNS namespace levels, IF it works. However, some of the servers I'd host on this infrastructure relies specifically on OpenSSL, and I suspect OpenSSL does not support verifying keys using OpenPGP, and perhaps not DANE. I'm honestly not sure. But INN and PostFix would have problems with server-to-server TLS links if the certs don't validate. I really want to use TLS, even though CJDNS does use NACL cryptography for its peering links. I don't like relying on only one cryptographic library for security. I want both underlying NACL cryptography and TLS cryptography to help protect sensitive data. But the idea of using NameCoin + CJDNS -> PowerDNS + GnuPG + NSS/GnuTLS -> Nginx + INN + PostFix + ... stack seems a little precarious to me. Thank you very much for you patience, time and attention. Thank you very much in advance for any help, advice, instruction, protips, hints or references you may give me. Thank you. -- Alex Maurin <coyo AT darkdna DOT net> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
