Re: publishing PGP keys in DNS

2016-12-21 Thread Werner Koch 
On Wed, 21 Dec 2016 12:00, bjo...@schiessle.org said:

> auto-key-locate cert pka wkd keyserver
>
> Does this means that gpg will try to find a WKD and a corresponding
> public key automatically if I write a email to someone I don't have a
> public key yet? Or will the lookup happen if I receive a mail?

Right; but only as long as the key has been specified by  mail address.

First gpg looks into the local keyring, then tries to find a CERT
record, then tries to get the fingerprint via PKA and downloads the key
From the included URL or a configured keyserver, then it tries to locate
via WKD, and finally b a simple keyserver search.  I would suggest to
use 

 auto-key-locate wkd,dane,pka

if you want to find keys for signature verification you can also use

 auto-key-retrieve

to fetch a key from a keyserver.  The drawback is that you need to wait
for the keyserver.  That latter will eventually be improved by using a
lower timeout and queue the request for later background retrieval



Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpuHqKVYlEmV.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: publishing PGP keys in DNS

2016-12-21 Thread Bjoern Schiessle 
Hi Werner,

thanks for the explanation.

On Wed, 21 Dec 2016 09:22:17 +0100 Werner Koch wrote:
>
> Anyway, I would suggest to avoid DNS and use the Web Key Directory
> instead. See
> . I
> can also offer to work with schokokeks.org to setup the whole thing
> for all their users.

Yesterday I already set this up successfully for my domain
(schiessle.org). I just thought that having the DNS record as well would
be a nice addition. But then I will just keep the WKD if this is the
recommended way.

One more question to the WKD. I changed my gpg.conf to:

auto-key-locate cert pka wkd keyserver

Does this means that gpg will try to find a WKD and a corresponding
public key automatically if I write a email to someone I don't have a
public key yet? Or will the lookup happen if I receive a mail?

Thanks!
Björn





-- 
Björn Schießle 
www: http://www.schiessle.org
twitter: @schiessle
gnupg/pgp key: 0x0x2378A753E2BF04F6
verify: https://keybase.io/BeS
fingerprint: 244F CEB0 CB09 9524 B21F B896 2378 A753 E2BF 04F6


pgphEawRBAbiO.pgp
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: publishing PGP keys in DNS

2016-12-21 Thread Werner Koch 
Hi Bjoern,

On Tue, 20 Dec 2016 22:44, bjo...@schiessle.org said:

> I want to publish my GnuPG key in DNS, therefore I followed this Howto:
> http://www.gushi.org/make-dns-cert/HOWTO.html

I huess that this howto is too old.

> $ dig +short bjoern._pka.schiessle.org. TXT
> "v=pka1;fpr=244FCEB0CB099524B21FB8962378A753E2BF04F6;uri=https://www.schiessle.org/privacy/gpg-key.txt;

With version 2.1.3 the PKA method was changed (it was never in
widespread use):

 * gpg: New option --print-pka-records.  Changed the PKA method to use
   CERT records and hashed names.  [Update: --print-pka-records
   replaced in 2.1.14.]

and in 2.1.14

 * gpg: Removed options --print-dane-records and --print-pka-records.
   The new export options "export-pka" and "export-dane" can instead
   be used with the export command.

Here is how you can create such records:

  $ gpg --export-options export-pka --export w...@gnupg.org
  $ORIGIN _pka.gnupg.org.
  ; ECAF7590EB3443B5C7CF3ACB6C7EE1B8621CC013
  ; Werner Koch 
  nq6t9teux7edsnwdksswydu4o9i5es3f TYPE37 \# 26 0006  00 14 [...]
  [...]


Anyway, I would suggest to avoid DNS and use the Web Key Directory
instead. See
. I
can also offer to work with schokokeks.org to setup the whole thing for
all their users.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpFBcusxPiPc.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

publishing PGP keys in DNS

2016-12-20 Thread Bjoern Schiessle 
Hi all,

I want to publish my GnuPG key in DNS, therefore I followed this Howto:
http://www.gushi.org/make-dns-cert/HOWTO.html

I can lookup the DNS entry and it looks OK to me:

$ dig +short bjoern._pka.schiessle.org. TXT
"v=pka1;fpr=244FCEB0CB099524B21FB8962378A753E2BF04F6;uri=https://www.schiessle.org/privacy/gpg-key.txt;

But if I try to test it with gpg like described in the Howto:

echo "foo" | gpg --no-default-keyring --keyring /tmp/gpg-$$ --encrypt
--armor --auto-key-locate pka -r bjo...@schiessle.org

I get this error:

gpg: 0xE2BF04F6: skipped: No public key
gpg: [stdin]: encryption failed: No public key

Any idea what's wrong?

Thanks!
Björn

-- 
Björn Schießle 
www: http://www.schiessle.org
twitter: @schiessle
gnupg/pgp key: 0x0x2378A753E2BF04F6
verify: https://keybase.io/BeS
fingerprint: 244F CEB0 CB09 9524 B21F B896 2378 A753 E2BF 04F6

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users