Hey all,

A long time ago I wrote a doc on a blog about putting PGP keys in the DNS, which has been linked to quite a bit. I also recoded make-dns-cert as a shell script so that people who want to do this but don't have access to the make-dns-cert tool (which is not built by default on some OS packages) had an option to do this.

At the day job, we have a script that we use to push gpg-signed releases to our FTP server, and as part of that job, it verifies the signatures on the tarball, and will try to auto-key-locate those keys if it can't find them.

Since the debacle a few years ago with the SKS keyserver denial-of-service attack, the keyservers are kind of a non-starter. And because GPG searches for keys on a tarball by keyid, not by user@domain, a keyserver is the only real retrieval method available to look up a key by keyid, which is now a non-starter.

Worse still, if you know a key exists via something like DANE (dayjob makes DNS software, we like the idea of it being available via DANE), there's no way to do gpg --search via DANE, only via a keyserver.

Thus, using that as a prefetch method to grab the current version of our codesign@ key into our keyring is not helpful either, unless we "faked it" by attempting to encrypt a message to that address, then discarded it.

Is there another way forward? The normal things for auto-key-locate don't seem to help here. I'm open to ideas.

-Dan

(PS: on gnupg.org, the documentation for auto-key-locate dane says "Locate a key using DANE, as specified in draft-ietf-dane-openpgpkey-05.txt." It should probably say RFC7929 rather than referring to an I-D.)

--

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
FB:  fb.com/DanielMahoneyIV
LI:   linkedin.com/in/gushi
Site:  http://www.gushi.org
---------------------------


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to