NowpPublishing fedora developer PGP keys in DNSSEC
Petr Spacek
pspacek at redhat.com
Thu Jan 29 16:15:37 UTC 2015
On 29.1.2015 15:27, Paul Wouters wrote:
> On Thu, 29 Jan 2015, Petr Spacek wrote:
>
>>> Fedora is probably the First to use OPENPGPKEY at a large scale.
>>>
>>> https://tools.ietf.org/html/draft-ietf-dane-openpgpkey-01
>>
>> Paul, thank you for doing this experiment! I definitely support it.
>>
>> For people who do not watch dane-list closely, please keep in mind that:
>> 1) It is just draft, nothing is set in stone.
>
> It's basically waiting for Working Group Last Call (WGLC) and we're past
> the point of Early Code point assignment. So the format is not expected
> to change anymore.
>
>> 2) The -01 version of the draft does not fully specify data format so it
>> actually does not define an interoperable standard.
>
> It does. It refers to RFC-4880 that defines the OpenPGP standard for
Let's discuss this on IETF mailing lists and not here...
For completeness: I claim that it reference to RFC 4880 is not sufficient:
https://tools.ietf.org/html/draft-ietf-dane-openpgpkey-01#section-2.1
2.1. The OPENPGPKEY RDATA component
The RDATA (or RHS) of an OPENPGPKEY Resource Record contains a single
value consisting of a [RFC4880] formatted OpenPGP public keyring.
refers to:
http://tools.ietf.org/html/rfc4880#section-3.6
3.6. Keyrings
A keyring is a collection of one or more keys in a file or database.
Traditionally, a keyring is simply a sequential list of keys, but may
be any suitable database. It is beyond the scope of this standard to
discuss the details of keyrings or other databases.
I can't imagine how you could implement an interoperable implementation based
on definition "It is beyond the scope of this standard to
discuss the details of keyrings or other databases."
Anyway, this belongs to IETF mailing lists. Please reply to dane-list, I will
pick it up from there.
Petr Spacek @ Red Hat
> the keyring format. While we agree the specification could have been
> written better back in 2007, no one has thought it neccessary to write
> up a 4880bis document so far.
>
>> For details see my
>> previous comment:
>> http://www.ietf.org/mail-archive/web/dane/current/msg07227.html
>
> Paul Hoffman told you as much as well:
> http://www.ietf.org/mail-archive/web/dane/current/msg07228.html
>
> And the format is easy you will be able to put your regular ascii
> armor keyring output in your zone file, while it still preserves
> using the raw binary in the zone itself and over the wire.
>
> I mean, this is pretty nice:
>
> openpgpkey --fetch pwouters at fedoraproject.org | gpg --import --dry-run
>
> And you could even do that with the raw dig output!!
>
> dig type61 $(echo -n pwouters| sha224sum | sed "s/
> .*$//")._openpgpkey.fedoraproject.org |grep TYPE61 | sed "s/^.*TYPE61.*\\\#
> [0-9]* //" | grep -v ";" | sed "s/ //g" | xxd -r -p | gpg --import --dry-run
>
> Pretty standard format!
>
> Paul
More information about the devel
mailing list