Hi,
Fedora is probably the First to use OPENPGPKEY at a large scale. https://tools.ietf.org/html/draft-ietf-dane-openpgpkey-01 Everyone[*] who added a GPG keyid in FAS has their key published now using the OPENPGPKEY specification. You can obtain a key using the openpgpkey command of the hash-slinger package: paul@bofh:~$ openpgpkey --fetch pwout...@fedoraproject.org -----BEGIN PGP PUBLIC KEY BLOCK----- Comment: pwout...@fedoraproject.org key obtained from DNS Comment: key transfer was protected by DNSSEC Version: GnuPG v1 [blob] Note that during FAS processing I found out that: 1) there are many nonsense values instead of keyid's in the fas field (some put in their fingerprint, which is not useful without a key, some had multiple keyids, and one person managed to unicode kill python-gnupg by putting their name in there) 2) most people don't have their fedoraproject.org as uid on their key 3) a LOT of keys were expired - I still put these in the zone 4) the gpg/python-gnupg minimal export still caused some keys to be too big for dns. I simple removed those keys from the zone data. 5) almost all these keys are old keys of which I could forge a fake matching keyid and upload it to public key servers. This last item is important because we sadly did not store the actual public keys in FAS, but only their keyid. We should really change that. Updating your key in fas does not yet automatically update the OPENPGPKEY record in DNS. If you are brave, you can install openpgpkey-milter on your mail server, and it will start to automatically encrypt email to those fedoraproject.org email addresses that have keys associated with them. If you want to run this yourself in other domains, you can use the openpgpkey command to generate these records for keys in your local gnupg keyring: openpgpkey --create p...@nohats.ca See further man openpgpkey Paul ps. thunderbird/enigmail support anyone? GSoC? :) -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
