In message <87d1x8ra6a(_dot_)fsf(_at_)latte(_dot_)josefsson(_dot_)org>, Simon
Josefsson writes:
--=-=-=
Content-Type: text/plain
Paul Wouters <paul(_at_)nohats(_dot_)ca> writes:
On Wed, 23 Sep 2015, Simon Josefsson wrote:
Some people disagree with you and think DNSSEC is a viable PKI for their
intended use. These people want to use DNSSEC. We can give those people
an experimental RFC with OPENPGPKEY record, or we can force them to use
an individual submitted draft with a TXT record stalled until expiry.
Or they can use the already specified CERT record, which GnuPG supports.
You would still need to address the key lookup mechanism. One of the
reasons CERT failed for openpgp was the lack of binding between mailbox
and DNS. You did not know where to look for the CERT record.
If I understand correctly, I believe section 3 of RFC 4398 discuss this:
http://tools.ietf.org/html/rfc4398#section-3
In particular section 3.3 explains how a OpenPGP key for
leslie@host.example would lead to a CERT record on the
leslie.host.example domain. See
http://tools.ietf.org/html/rfc4398#section-3.3
Which is very much part of the problem. RFC 103[45] have mbox names
which unfortunately causes namespace collisions. Usernames and
hostnames shouldn't be in the same namespace. RFC 4398 continues
to have that problem.
This draft and the s/mime draft address that issue moving the looked
up name out of the valid hostname namespace.
Yes, CERT has its own share of problems, that you have explained, but I
don't see that any of the issues you brought up with CERT (that I mostly
agree with, FWIW) has had bearing on its deployment success or not.
I agree. The lookup mechanism makes things like this possible:
apt-get install hash-slinger
openpgpkey --fetch pwouters(_at_)fedoraproject(_dot_)org
As well as running automatic encryption using the openpgpkey-milter with
postfix or sendmail. If you install openpgpkey-milter, your mail sever
will already encrypt all email sent to me.
That's cool!
It looks similar to GnuPG's auto-key-lookup mechanism which supports
CERT records.
/Simon
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJWAzS9AAoJEIYLf7sy+BGd/7YIAIi/TxoHK9qEUPKdu33DocAu
dWNa4WgN8hbeSRZ9v+w+ePACY6av++rfDFR+eXLWFjWKZCOD8/3P88cWh2qZydZ2
l40TntWjuvkSgeXtpCeuDRTHyg3pD3bmx5pRUW7R+CMR3FE/CgK/BXBLRZDasqqM
2/ebSZSZdC2hwvN5ShVqXuwpuZtj/CHxqjfnUG5J3d65kgeoLN5rDZg/iYZ1egRG
szGoGUI1SnljVMFUtIBxafSofgdisE8xINoJYs4TlKmuwz7dfnVUIg59AYu/FWss
UXp+YdD0hAcbvyTCHNGW6OYVH9xONBvukYQCWZwDCXISHH/ravUk3PV5KGUYguc=
=5uhn
-----END PGP SIGNATURE-----
--=-=-=--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org