On Wed, 23 Sep 2015, Simon Josefsson wrote:
Some people disagree with you and think DNSSEC is a viable PKI for their
intended use. These people want to use DNSSEC. We can give those people
an experimental RFC with OPENPGPKEY record, or we can force them to use
an individual submitted draft with a TXT record stalled until expiry.
Or they can use the already specified CERT record, which GnuPG supports.
You would still need to address the key lookup mechanism. One of the
reasons CERT failed for openpgp was the lack of binding between mailbox
and DNS. You did not know where to look for the CERT record.
Yes, CERT has its own share of problems, that you have explained, but I
don't see that any of the issues you brought up with CERT (that I mostly
agree with, FWIW) has had bearing on its deployment success or not.
I agree. The lookup mechanism makes things like this possible:
apt-get install hash-slinger
openpgpkey --fetch pwouters(_at_)fedoraproject(_dot_)org
As well as running automatic encryption using the openpgpkey-milter with
postfix or sendmail. If you install openpgpkey-milter, your mail sever
will already encrypt all email sent to me.
Paul