Hey all,
A long time ago I wrote a doc on a blog about putting PGP keys in the DNS,
which has been linked to quite a bit. I also recoded make-dns-cert as a
shell script so that people who want to do this but don't have access to
the make-dns-cert tool (which is not built by default on some OS packages)
had an option to do this.
At the day job, we have a script that we use to push gpg-signed releases
to our FTP server, and as part of that job, it verifies the signatures on
the tarball, and will try to auto-key-locate those keys if it can't find
them.
Since the debacle a few years ago with the SKS keyserver denial-of-service
attack, the keyservers are kind of a non-starter. And because GPG
searches for keys on a tarball by keyid, not by user@domain, a keyserver
is the only real retrieval method available to look up a key by keyid,
which is now a non-starter.
Worse still, if you know a key exists via something like DANE (dayjob
makes DNS software, we like the idea of it being available via DANE),
there's no way to do gpg --search via DANE, only via a keyserver.
Thus, using that as a prefetch method to grab the current version of our
codesign@ key into our keyring is not helpful either, unless we "faked it"
by attempting to encrypt a message to that address, then discarded it.
Is there another way forward? The normal things for auto-key-locate don't
seem to help here. I'm open to ideas.
-Dan
(PS: on gnupg.org, the documentation for auto-key-locate dane says "Locate
a key using DANE, as specified in draft-ietf-dane-openpgpkey-05.txt." It
should probably say RFC7929 rather than referring to an I-D.)
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
