* on the Mon, Jul 21, 2014 at 06:23:51PM +0200, Peter Lebbing wrote: > By the way, regarding DANE as an alternative to the CA system: I think a > proper > implementation of authentication through DNS could well be way better than the > CA system: at least you can only be screwed by people having access to signing > keys for the root and the TLD, instead of anyone with access to a CA > certificate.
I believe Postfix already has support for using DANE and it's on the roadmap for Exim too. I already have it set up for my own domain "grepular.com": mike@flan:~$ dig +short mx grepular.com 10 mx1.grepular.com. 20 mx2.grepular.com. mike@flan:~$ dig +short tlsa _25._tcp.mx1.grepular.com 3 0 1 3469CFEC16545C38CCADC72D5E7A11E11254D53AA69E587C135D9874 300FF144 mike@flan:~$ dig +short tlsa _25._tcp.mx2.grepular.com 3 0 1 6643FEEA7C7B382BE1D09422FAABEB6B47642BE87178BDD73637B175 CE34370E mike@flan:~$ My SMTP certs are also signed by a traditional CA at the same time, so there's two ways of verifying that the certs are correct. I also have it set up for the website at https://grepular.com/ - If you're using Firefox, have a DNSSEC capable resolver and are using the addon from https://www.dnssec-validator.cz/, it will display a nice green icon in the address bar to show you that DNSSEC is in use, and another to show you that DANE validated, when visiting https://grepular.com/ Thanks to signed DNS, you can also fetch my PGP key safely and independently of keyservers: gpg --auto-key-locate pka -ear mike.cardwell(NOSPAM)@grepular.com That command will cause GnuPG to perform the following DNS lookup: mike@flan:~$ dig +short TXT mike.cardwell(NOSPAM)._pka.grepular.com "v=pka1\;fpr=35BCAF1D3AA21F843DC3B0CF70A5F5120018461F\;uri=http://grepular.com/0018461F.pub.asc" mike@flan:~$ Then fetches the key from http://grepular.com/0018461F.pub.asc and validates that the fingerprint matches the one in the DNS response. Also, all of my email is encrypted at rest thanks to GnuPG. Even the stuff which was not encrypted when it was sent: https://grepular.com/Automatically_Encrypting_all_Incoming_Email https://grepular.com/Automatically_Encrypting_all_Incoming_Email_Part_2 -- Mike Cardwell https://grepular.com https://emailprivacytester.com OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
signature.asc
Description: Digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
