NowpPublishing fedora developer PGP keys in DNSSEC

[Paul Wouters]

Hi,

Fedora is probably the First to use OPENPGPKEY at a large scale.

https://tools.ietf.org/html/draft-ietf-dane-openpgpkey-01

Everyone[*] who added a GPG keyid in FAS has their key published now
using the OPENPGPKEY specification. You can obtain a key using the
openpgpkey command of the hash-slinger package:

paul at bofh:~$ openpgpkey --fetch pwouters at fedoraproject.org
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: pwouters at fedoraproject.org key obtained from DNS
Comment: key transfer was protected by DNSSEC
Version: GnuPG v1

[blob]

Note that during FAS processing I found out that:

1) there are many nonsense values instead of keyid's in the fas field
    (some put in their fingerprint, which is not useful without a key,
    some had multiple keyids, and one person managed to unicode kill
    python-gnupg by putting their name in there)
2) most people don't have their fedoraproject.org as uid on their key
3) a LOT of keys were expired - I still put these in the zone
4) the gpg/python-gnupg minimal export still caused some keys to be too
    big for dns. I simple removed those keys from the zone data.
5) almost all these keys are old keys of which I could forge a fake
    matching keyid and upload it to public key servers.

This last item is important because we sadly did not store the actual
public keys in FAS, but only their keyid. We should really change that.

Updating your key in fas does not yet automatically update the
OPENPGPKEY record in DNS.

If you are brave, you can install openpgpkey-milter on your mail server,
and it will start to automatically encrypt email to those
fedoraproject.org email addresses that have keys associated with them.

If you want to run this yourself in other domains, you can use the openpgpkey
command to generate these records for keys in your local gnupg keyring:

 	openpgpkey --create paul at nohats.ca

See further man openpgpkey

Paul
ps. thunderbird/enigmail support anyone? GSoC? :)