On Sat, 21 Feb 2015, Viktor Dukhovni wrote:
Comments:
* The below does not mention the hex encoding of the digest. Compare with
SMIMEA:
Thanks. Fixed for -02.
* Grammar nit replace "its" with "their" or rephrase:
Fixed for -02.
* Forward security vouching for long-term keys
There's a typo in the first word of the highlighted paragraph:
Therefor, an OpenPGP key obtained via an OPENPGPKEY
Fixed Therefor -> Therefore.
verification of the "Web of Trust". See [OPENPGPKEY-USAGE]
for more in-depth information on safe usage of OPENPGPKEY
based OpenPGP keys.
An complementary approach is to not use the retrieved OpenPGP
key beyond the signature lifetime of the OPENPGPKEY RRset RRSIG
record. Keys obtained from DNS should be refreshed as often
as is practical (ideally before encrypting each message) and
never used beyond the RRSIG lifetime. Were the RRSIG in question
signed by an attacker, only messages signed before the key is
refreshed are compromised. Of course this requires that PGP
user agent software track the provenance and cache lifetime of
keys obtained via DNS.
I would like that discussion to go into the OPENPGPKEY-USAGE document.
* Encoding tools:
Appendix A. Generating OPENPGPKEY records
gpg --export --export-options export-minimal \
[email protected] | base64
the "openssl base64" command is an alternative on many other platforms.
What is more widespread? coreutils or openssl ?
Later the examples don't yet use the newly allocated TYPE61:
Well spotted :) Fixed.
the type should of course now be TYPE61. May as well give a
recipe for generating "SHA2-224(hugh)":
printf "%s" hugh |
openssl dgst -sha224 -binary |
hexdump -ve '/1 "%.2x"' -e '/28 "\n"'
Sure. But what is more common, coreutils or openssl :)
Paul
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
