Hi! David Shaw schrieb: >> With PKA, you can even get automatic key retrieval without a keyserver. > > That's not quite right. PKA records in DNS can point to a keyserver, > but you still need the keyserver in the mix somewhere (though, like the > "preferred keyserver" feature, that "keyserver" might be a key stored on > a web server).
True, you still need some kind of server (one might argue that even using CERT, you have a 'keyserver' - the DNS server itself). The notable difference, however, is that a web server presents my key exactly as *I* desire, allowing for removed signatures, replacing the key by a new one etc. PKA is the way to get somebody to use my web server already for initial key retrieval (although this might not be the primary purpose of PKA) so that the (synchronizing merge-only) keyserver network is avoided. > CERT is a standardized way (RFC-4398) to put OpenPGP keys in DNS. Unfortunately, my provider does not allow me to set CERT type DNS records. TXT is possible (for, e.g., SPF and PKA). I will ask whether they can do it (since it appears to be natively supported in BIND 9, right?) cu, Sven _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users