Dan Mahoney, System Admin
Wed, 21 Oct 2009 02:46:58 -0700
On Wed, 21 Oct 2009, David Shaw wrote:
You didn't give an actual version number (run gpg2 --version), so I can only make an educated guess, but I do think I see your problem. You don't have one key in your CERT - you have two (309C17C5 and 624BB249) combined into one DNS record. That doesn't work - it's a one-name-one-key mapping. We should give a better error message in this case.
Aah, yes, there we go. Now it seems to work on all my systems. For some reason I assumed --export would just pick one key to match on, just as --delete-keys does. Note there's still a secondary key, hence my confusion.
So far, the commands for a PGP CERT are: gpg --list-keys gu...@gushi.org (read, get key id) gpg2 --export --export-options export-clean > keyid.pub.bin -or- gpg2 --export --export-options export-minimal > keyid.pub.bin make-dns-cert -k keyid.pub.bin -n gushi.gushi.org. > keyid.dnscert The commands for an IPGP cert are: gpg --list-keys y...@you.com Choose your keyid from the above. gpg2 --export --armor keyid > keyid.pub.asc copy the ascii file somewhere where it's url accessable. Manually copy/paste your fingerprint into the next command: make-dns-cert -n gushi.gushi.org. -u url format (which?) -f fingerprint >keyid.dnscertThen, publish one (and only one) CERT record in dns per-label. In my case this also means signing the zone and all that.
Finally, for an _PKA record, it involves manually: u...@domain.com becomes user._pka.domain.com. Get your keyid as above.1) Export to a uri as for IPGP cert, above (presumably, it can be the same uri).
Strip your fingerprint like so:2) gpg --fingerprint keyid | grep "Key fingerprint" | cut -d "=" -f 2 | sed 's/ *//g'
The format of the text record is simple: you._pka.domain.com. IN TXT "v=pka1;fpr=[#1];uri=[#2]" Where the values are substituted from the steps above. Publish this in DNS. Test using: dig you._pka.domain.com TXT, see if you get a result. Test with a GPG client that doesn't otherwise have the key:echo "foo" | gpg --auto-key-locate pka --armor --encrypt -r y...@domain.com and see if you get an output.
So here's the laundry list: 0) Do the above look mostly-right?1) What are the best options for exporting certs for a CERT record? For a uri-styled record? (i.e. which signatures do you want to include?) 2) Do either the pka or the IPGP standards require the key to be in binary/ascii format? 3) What's the "sanctioned" list of uri formats? Where is it defined for CERT? For PKA? 4) As I'm not a c-coder, how difficult would it be to have the make-dns-cert output in base64 instead of binary? 5) How solid is the output of --fingerprint? Is it likely to change between versions, or are the grep and sed listed likely to work most places? 6) How difficult would it be to get the cert-export functions right into gpg?
7) How difficult would it be to get make-dns-cert built-by-default?8) (asked previously) Is it worth filing a bug on not being able to specify multiple keyservers for auto-key-locate? 9) (also previously) Is it worth filing a bug to not have auto-key-locate vomit on unsupported methods?
With the answers to the above, I'll write up a nice howto doc including the prereqs for all the above, the DNS requirements, and the like.
-Dan -- "It's three o'clock in the morning. It's too late for 'oops'. After Locate Updates, don't even go there." -Paul Baecker January 3, 2k Indeed, sometime after 3AM --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --------------------------- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users