ietf-openpgp
[Top] [All Lists]

Re: Please review OpenPGP part of RFC 2538bis

2004-11-30 19:52:07

David Shaw <dshaw(_at_)jabberwocky(_dot_)com> writes:

On Sat, Nov 06, 2004 at 07:48:31PM +0100, Simon Josefsson wrote:

   Applications that receive an OpenPGP packet but do not know the email
   address of the sender will have difficulties guessing the correct
   owner name.  However, the OpenPGP packet typically contain the Key ID
   of the key.  Such applications can derive the owner name from the Key
   ID using an Base 16 encoding [8].  For example:

      $ORIGIN example.org.
      F835EDA21E94B565716F    IN CERT PGP ...
      B565716F                IN CNAME F835EDA21E94B565716F

   Again, if the same key material is stored at several owner names,
   using CNAME can be used to avoid data duplication.

One of the things that struck me when reading this draft is that
while there are several suggested ways to name keys in DNS, there is
no one canonical name as a SHOULD or MUST. I suggest that the key
fingerprint be the canonical name, and all others be CNAMEs pointing
to the fingerprint name.

I'm aware of this, and it is a touchy issue.  I was trying to avoid
it. Traditionally, few RR types enforce rules for the owner name.  It
may be contentious to add this.  I'll add an open issue: whether to
enforce owner name guidelines with SHOULD/MUST.

I have general concerns about the size of OpenPGP keys in DNS, but I
wonder if DNS would be a good way to distribute revocation
certificates in a low-overhead sort of way.

Right.  If there were no SHOULD/MUST on the owner name rules, perhaps
storing revocation certificates under "rev-0xB565716F" would work,
which might avoid storing both the key itself and the revocation
information under the same name.  If they are stored under the same,
the response would include both, and be large, so the advantage of
using DNS as a light-weight revocation checking infrastructure is
lessened.

Thanks,
Simon


<Prev in Thread] Current Thread [Next in Thread>