On Wed, 21 Oct 2009, David Shaw wrote:
You didn't give an actual version number (run gpg2 --version), so I can only
make an educated guess, but I do think I see your problem. You don't have
one key in your CERT - you have two (309C17C5 and 624BB249) combined into one
DNS record. That doesn't work - it's a one-name-one-key mapping. We should
give a better error message in this case.
Aah, yes, there we go. Now it seems to work on all my systems. For some
reason I assumed --export would just pick one key to match on, just as
--delete-keys does. Note there's still a secondary key, hence my
confusion.
So far, the commands for a PGP CERT are:
gpg --list-keys gu...@gushi.org
(read, get key id)
gpg2 --export --export-options export-clean > keyid.pub.bin
-or-
gpg2 --export --export-options export-minimal > keyid.pub.bin
make-dns-cert -k keyid.pub.bin -n gushi.gushi.org. > keyid.dnscert
The commands for an IPGP cert are:
gpg --list-keys y...@you.com
Choose your keyid from the above.
gpg2 --export --armor keyid > keyid.pub.asc
copy the ascii file somewhere where it's url accessable.
Manually copy/paste your fingerprint into the next command:
make-dns-cert -n gushi.gushi.org. -u url format (which?) -f fingerprint
>keyid.dnscert
Then, publish one (and only one) CERT record in dns per-label. In my
case this also means signing the zone and all that.
Finally, for an _PKA record, it involves manually:
u...@domain.com becomes user._pka.domain.com.
Get your keyid as above.
1) Export to a uri as for IPGP cert, above (presumably, it can be the same
uri).
Strip your fingerprint like so:
2) gpg --fingerprint keyid | grep "Key fingerprint" | cut -d "=" -f 2 |
sed 's/ *//g'
The format of the text record is simple:
you._pka.domain.com. IN TXT "v=pka1;fpr=[#1];uri=[#2]"
Where the values are substituted from the steps above.
Publish this in DNS.
Test using: dig you._pka.domain.com TXT, see if you get a result.
Test with a GPG client that doesn't otherwise have the key:
echo "foo" | gpg --auto-key-locate pka --armor --encrypt -r y...@domain.com
and see if you get an output.
So here's the laundry list:
0) Do the above look mostly-right?
1) What are the best options for exporting certs for a CERT record? For a
uri-styled record? (i.e. which signatures do you want to include?)
2) Do either the pka or the IPGP standards require the key to be in
binary/ascii format?
3) What's the "sanctioned" list of uri formats? Where is it defined for
CERT? For PKA?
4) As I'm not a c-coder, how difficult would it be to have the
make-dns-cert output in base64 instead of binary?
5) How solid is the output of --fingerprint? Is it likely to change
between versions, or are the grep and sed listed likely to work most
places?
6) How difficult would it be to get the cert-export functions right into
gpg?
7) How difficult would it be to get make-dns-cert built-by-default?
8) (asked previously) Is it worth filing a bug on not being able to
specify multiple keyservers for auto-key-locate?
9) (also previously) Is it worth filing a bug to not have auto-key-locate
vomit on unsupported methods?
With the answers to the above, I'll write up a nice howto doc including
the prereqs for all the above, the DNS requirements, and the like.
-Dan
--
"It's three o'clock in the morning. It's too late for 'oops'. After
Locate Updates, don't even go there."
-Paul Baecker
January 3, 2k
Indeed, sometime after 3AM
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
