DANE (was: mailto with pgp fingerprint)

2014-07-28 Thread Nicolai Josuttis (enigmail) 
Are you or is someone working on DANE support for GnuPG?
Any schedule?

Am 22.07.2014 16:27, Werner Koch schrieb/wrote:
> 
> On Tue, 22 Jul 2014 09:40, enigm...@josuttis.de said:
>> More and more we seem to have the problem of faked keys in the
>> key servers. This especially applies to "well known" keys such
>> as authors of magazines and famous tools.
> 
> This is actually the problem of checking the validity of the key. 
> Granted, gpg is not smart enough to figure out the best matching
> key but that is something which can be fixed.
> 
> A more simple way of tackling this is to use PKA or DANE for key 
> validation: For sending mail you already need DNS and thus it would
> be easy to retrieve the matching key from the DNS.  The drawback is
> that this must be configured by the key owner and can't be changed
> by the sender.
> 
> 
> Shalom-Salam,
> 
> Werner
> 

-- 
Nicolai M. Josuttis
www.josuttis.de
mailto:n...@enigmail.net
PGP fingerprint: CFEA 3B9F 9D8E B52D BD3F 7AF6 1C16 A70A F92D 28F5


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

mailto with pgp fingerprint

2014-07-22 Thread Nicolai Josuttis (enigmail) 
More and more we seem to have the problem of faked keys in the key
servers. This especially applies to "well known" keys such as
authors of magazines and famous tools.

In addition, I have the problem that I'd like to use a special
reply-to address, which is not listed in the keyservers, but it
should be easy to associate that with a (known) public key.

So, I was wondering whether it is possible to force somehow the usage
of a specific pgp key identified by its fingerprint.

One obvious approach might be to extend the mailto format
(see http://www.rfc-editor.org/rfc/rfc2368.txt).

I was wondering whether it make sense to standardize something like
> 
or
>
> 

so that we can provide elements in websites and emails
that force mailers to automatically choose the right public key
(either from internal list or from key servers).
The semantics would be:
- use the passed pgp key with the following email address

Mailers/PGP-tools could even use this to update their key rings.
(but with appropriate interaction and/or warning/error handling,
 because this can be a simple security hole if a link just
 would assign faked associated keys.).

We could even use a syntax like:
>> 
or
>> 
to force the usage of a pgp key and derive the email address from there.

Questions:
- Would such a thing make sense or am I missing something?
- Is there even something like that already there or on the way?
- If not, is somebody familiar with the process or even willing
  to propose this as a RFC?
- Other thoughts?

And BTW, if this is too much out of scope of GnuPG issues:
- What would be the right place to discuss such a thing?

Best
 Nico

-- 
Nicolai M. Josuttis
www.josuttis.de
mailto:n...@enigmail.net
PGP fingerprint: CFEA 3B9F 9D8E B52D BD3F 7AF6 1C16 A70A F92D 28F5


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users