On Apr 21, 2009, at 1:31 AM, Sven Radde wrote:
Hi!
David Shaw schrieb:
With PKA, you can even get automatic key retrieval without a
keyserver.
That's not quite right. PKA records in DNS can point to a keyserver,
but you still need the keyserver in the mix somewhere (though, like
the
"preferred keyserver" feature, that "keyserver" might be a key
stored on
a web server).
True, you still need some kind of server (one might argue that even
using CERT, you have a 'keyserver' - the DNS server itself).
The notable difference, however, is that a web server presents my key
exactly as *I* desire, allowing for removed signatures, replacing the
key by a new one etc.
PKA is the way to get somebody to use my web server already for
initial
key retrieval (although this might not be the primary purpose of
PKA) so
that the (synchronizing merge-only) keyserver network is avoided.
Absolutely. I do the same thing, just using CERT. CERT has two
modes: "PGP" (where the whole key lives in DNS), and "IPGP" for
Indirect PGP, where you give a URL as in PKA. IPGP and PKA are
basically the same thing from the find-a-key perspective.
It's sort of questionable how practical PGP mode is, with the whole
key stuffed in to DNS. You'd get into DNS over TCP fairly quickly,
and then (poor) firewalls can start being cranky. GnuPG does support
getting keys this way, and I suppose it could be useful with a
stripped down key (no 3rd party signatures, or even the output of
"minimize") and expect that people will eventually learn the rest of
the key info from a full keyserver. I suspect the basic idea is more
useful for distributing other OpenPGP objects like revocations, as
they are quite small and the DNS check for a revocation is quite cheap.
IPGP, though, is very handy.
CERT is a standardized way (RFC-4398) to put OpenPGP keys in DNS.
Unfortunately, my provider does not allow me to set CERT type DNS
records. TXT is possible (for, e.g., SPF and PKA).
I will ask whether they can do it (since it appears to be natively
supported in BIND 9, right?)
Ugh, that's a problem. CERT has been supported since mid BIND 8 (and
arguably longer since you can do stuff like "TYPE37" and raw
encoding), but if your provider doesn't let you set arbitrary records,
then you're stuck. I've seen providers that do DNS through a web GUI
with a drop-down menu that allows you to choose A, CNAME, or TXT. I
suppose we should be grateful they at least allow TXT!
David
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
