Re: PGP security models, was Summary of IETF LC for draft-ietf-dane-open

Paul Wouters <paul(_at_)nohats(_dot_)ca> writes:

> On Wed, 23 Sep 2015, Simon Josefsson wrote:
>
> > > Some people disagree with you and think DNSSEC is a viable PKI for their
> > > intended use. These people want to use DNSSEC. We can give those people
> > > an experimental RFC with OPENPGPKEY record, or we can force them to use
> > > an individual submitted draft with a TXT record stalled until expiry.
> > Or they can use the already specified CERT record, which GnuPG supports.
> You would still need to address the key lookup mechanism. One of the
> reasons CERT failed for openpgp was the lack of binding between mailbox
> and DNS. You did not know where to look for the CERT record.
If I understand correctly, I believe section 3 of RFC 4398 discuss this:
http://tools.ietf.org/html/rfc4398#section-3

In particular section 3.3 explains how a OpenPGP key for
leslie@host.example would lead to a CERT record on the
leslie.host.example domain.  See
http://tools.ietf.org/html/rfc4398#section-3.3

> > Yes, CERT has its own share of problems, that you have explained, but I
> > don't see that any of the issues you brought up with CERT (that I mostly
> > agree with, FWIW) has had bearing on its deployment success or not.
> I agree. The lookup mechanism makes things like this possible:
>
> apt-get install hash-slinger
> openpgpkey --fetch pwouters(_at_)fedoraproject(_dot_)org
>
> As well as running automatic encryption using the openpgpkey-milter with
> postfix or sendmail. If you install openpgpkey-milter, your mail sever
> will already encrypt all email sent to me.
That's cool!

It looks similar to GnuPG's auto-key-lookup mechanism which supports
CERT records.

/Simon

signature.asc
Description: PGP signature