I'm in the process of writing a blog entry about the PKA and CERT methods. A couple people have written them a long time ago, and I'd like to bring some of the info up to date. (If this is better asked on gnupg-dev, let me know).

For starters:

1) Currently the only tool that can generate a CERT record, make-dns-cert, is not built or packaged by default under any os I've found (I've tried FreeBSD and ubuntu). It has no documentation, no examples, and only a terse 4-line usage summary. I've also seen a few bugs reported with it, that I don't know if they're fixed, such as not handling whitespace in the key fingerprint properly.

2) I realize this is a fringe feature, but other than a few scattered blog posts that reference each other, some of which are written by gnupg developers, info on these methods is HARD TO FIND. There's nothing in the docs/faq about this, at all. I think adoption would be much more widespread if this were a faq-able item. It's mentioned once in the manpage, once in the default gnupg.conf, and that's really it. If you document it, people will use it (and with thawte dropping personal freemail certs lately, this is something you want).

3) As far as I know, PKA isn't standardized in any RFC. Has this been changed? I saw mention of applying to IANA for its own typecode. Is there a list somewhere of what uri types are supported? I saw talk of it not supporting http 1.1, but that may be fixed with curl.

Of the two methods, I tend to actually prefer PKA because it lets me delegate to its own sub-zone, whereas CERT records must be inserted into the main zone.

4) Try though I might, I can't seem to get my full-key in CERT format to recognize. I am not sure if this is because my key is "complicated" (i.e. it has subkeys), because the cert is not under my primary uid, or because I just plain exported it wrong.

I'm running:

echo foo | gpg -v -v --auto-key-locate cert --recipient --encrypt -a

And get gpg: error retrieving `' via DNS CERT: No fingerprint

I exported my key with:

gpg --export --export-options minimal > file; and make-dns-cert -n -f file

It's still live if anyone wants to try.

5) Finally, the quality of records being generated, while consistent with rfc3597, leaves them as a real bear to manage, and import. If you're going to export them in hex, could we please also get whitespace so we can get this into an editor easily? Ideally, the things would just be base64 encoded, in accordance with rfc4398.

Most versions of bind9 understand the CERT record, with base64 representation, and numeric typecodes. bind9.6 understands the PGP type value mnemonic but not IPGP. BIND 9.7 understands IPGP.

What would be really, really cool, is step by step instructions for exporting, or hell, let gpg generate these records, the way ssh-keygen generates SSHFP records.

Those are my thoughts.



--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM

Gnupg-users mailing list

Reply via email to