Hi Paul,
Paul Wouters schreef op 1-6-2015 om 17:44:
On Mon, 1 Jun 2015, Stephan Bosch wrote:
From what I can tell, this document only describes how to publish and
retrieve a key in DNS/DNSSEC, i.e. in what format. I don't see any
mention of a procedure by which a key would get published. Since the
domain would be controlled by the mail provider, the user cannot do
this directly. So, how does a user go about getting his public key
published in the DNS? What kind of interaction do you envision
between the service provider and the mail user? Some kind of
provider-specific web interface? Would it be useful to devise some
standardized (sub-)protocol for this, so that a MUA can easily
arrange this for the user (e.g. just after it generated the key pair)?
While that would be nice, the problem is how you authenticate that to
your ISP or mail hoster, DNS hoster or DNS webgui interface.
Well, I suppose using the same credentials used to read/send e-mail? For
this, I am assuming the mail hoster is the same entity that controls the
domain and can freely modify the _openpgpkey.mail.domain.tld zone. So
this would mean that a DNS update results from a user's key publication
request, as received from a yet-to-devise protocol that is authenticated
using SASL with the same credentials as IMAP/POP3 and SMTP-submission.
It could even be done from within those protocols with some extension,
e.g. using IMAP METADATA.
Any other means would be fine too, as long as it is simple enough and a
standard that MUAs can rely upon.
I doubt that you could find enough common ground for an authentication
method
between those parties.
I hope there is some common ground to be found. Otherwise, I fear this
new technology could fail in terms of user/MUA adoption. Getting the key
out there should be as easy as possible.
There are tools (like hash-slinger's openpgpkey command) that can
generate the DNS records. Those have to somehow get inserted into the
zone. Whatever the method is to get an A record in, is the method to
get an OPENPGPKEY record in.
It would be awesome if facebook (who announced pgp support today) or
google or yahoo would allow some method of receiving your public key[*]
but I would think those parties would convert your message into the
appropriate DNS record format.
[*] For instance a message "please publis my key" signed with that key
uploaded through their HTTPS / authentiacted website.
Yes, but all of this would be provider-specific, which I think is bad.
Regards,
Stephan.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
