NowpPublishing fedora developer PGP keys in DNSSEC
Petr Spacek
pspacek at redhat.com
Thu Jan 29 10:17:35 UTC 2015
On 28.1.2015 21:34, Paul Wouters wrote:
> Hi,
>
> Fedora is probably the First to use OPENPGPKEY at a large scale.
>
> https://tools.ietf.org/html/draft-ietf-dane-openpgpkey-01
Paul, thank you for doing this experiment! I definitely support it.
For people who do not watch dane-list closely, please keep in mind that:
1) It is just draft, nothing is set in stone.
2) The -01 version of the draft does not fully specify data format so it
actually does not define an interoperable standard. For details see my
previous comment:
http://www.ietf.org/mail-archive/web/dane/current/msg07227.html
Brave souls willing to standards-work related to PGP keyring formats are more
than welcome!
Petr Spacek @ Red Hat
> Everyone[*] who added a GPG keyid in FAS has their key published now
> using the OPENPGPKEY specification. You can obtain a key using the
> openpgpkey command of the hash-slinger package:
>
> paul at bofh:~$ openpgpkey --fetch pwouters at fedoraproject.org
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> Comment: pwouters at fedoraproject.org key obtained from DNS
> Comment: key transfer was protected by DNSSEC
> Version: GnuPG v1
>
> [blob]
>
> Note that during FAS processing I found out that:
>
> 1) there are many nonsense values instead of keyid's in the fas field
> (some put in their fingerprint, which is not useful without a key,
> some had multiple keyids, and one person managed to unicode kill
> python-gnupg by putting their name in there)
> 2) most people don't have their fedoraproject.org as uid on their key
> 3) a LOT of keys were expired - I still put these in the zone
> 4) the gpg/python-gnupg minimal export still caused some keys to be too
> big for dns. I simple removed those keys from the zone data.
> 5) almost all these keys are old keys of which I could forge a fake
> matching keyid and upload it to public key servers.
>
> This last item is important because we sadly did not store the actual
> public keys in FAS, but only their keyid. We should really change that.
>
> Updating your key in fas does not yet automatically update the
> OPENPGPKEY record in DNS.
>
> If you are brave, you can install openpgpkey-milter on your mail server,
> and it will start to automatically encrypt email to those
> fedoraproject.org email addresses that have keys associated with them.
>
> If you want to run this yourself in other domains, you can use the openpgpkey
> command to generate these records for keys in your local gnupg keyring:
>
> openpgpkey --create paul at nohats.ca
>
> See further man openpgpkey
>
> Paul
> ps. thunderbird/enigmail support anyone? GSoC?
More information about the devel
mailing list