NowpPublishing fedora developer PGP keys in DNSSEC
Paul Wouters
paul at nohats.ca
Thu Jan 29 14:27:56 UTC 2015
On Thu, 29 Jan 2015, Petr Spacek wrote:
>> Fedora is probably the First to use OPENPGPKEY at a large scale.
>>
>> https://tools.ietf.org/html/draft-ietf-dane-openpgpkey-01
>
> Paul, thank you for doing this experiment! I definitely support it.
>
> For people who do not watch dane-list closely, please keep in mind that:
> 1) It is just draft, nothing is set in stone.
It's basically waiting for Working Group Last Call (WGLC) and we're past
the point of Early Code point assignment. So the format is not expected
to change anymore.
> 2) The -01 version of the draft does not fully specify data format so it
> actually does not define an interoperable standard.
It does. It refers to RFC-4880 that defines the OpenPGP standard for
the keyring format. While we agree the specification could have been
written better back in 2007, no one has thought it neccessary to write
up a 4880bis document so far.
> For details see my
> previous comment:
> http://www.ietf.org/mail-archive/web/dane/current/msg07227.html
Paul Hoffman told you as much as well:
http://www.ietf.org/mail-archive/web/dane/current/msg07228.html
And the format is easy you will be able to put your regular ascii
armor keyring output in your zone file, while it still preserves
using the raw binary in the zone itself and over the wire.
I mean, this is pretty nice:
openpgpkey --fetch pwouters at fedoraproject.org | gpg --import --dry-run
And you could even do that with the raw dig output!!
dig type61 $(echo -n pwouters| sha224sum | sed "s/ .*$//")._openpgpkey.fedoraproject.org |grep TYPE61 | sed "s/^.*TYPE61.*\\\# [0-9]* //" | grep -v ";" | sed "s/ //g" | xxd -r -p | gpg --import --dry-run
Pretty standard format!
Paul
More information about the devel
mailing list