Request: --export-options export-dane-modern
Hi, Is there any chance that a new export option could be added (alongside or instead of export-dane) to output "modern" Bind9 zonefile syntax (i.e. "OPENPGPKEY" rather than "TYPE61 \# 2193", and base64 rather than hexadecimal)? I suppose it's not important. It's just prettier. But since DNS query tools like host and dig output OPENPGPKEY records in base64, it would make it easier to compare their output against gpg's output. The reason I'm asking is that DNSSEC is so easy to implement these days (at least with the new debian-11 which has bind-9.16+), and I've just written a DANE management tool that makes DANE easy to implement. So far it only handles TLSA and SSHFP. I'd like to add support for OPENPGPKEY (i.e. calling gpg to produce the record, and calling host to check that it's published). I could (and probably will) get it to transform gpg's output itself, but I thought I'd ask. cheers, raf ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Why is --auto-key-locate only for encrypting?
Hi, debian-11, gpg-2.2.27 Why is the --auto-key-locate only for encrypting (says the gpg(1) manpage)? Wouldn't it also be useful when receiving emails and verifying signatures? cheers, raf ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why is --auto-key-locate only for encrypting?
On Mittwoch, 1. September 2021 07:55:21 CEST raf via Gnupg-users wrote: > Why is the --auto-key-locate only for encrypting (says > the gpg(1) manpage)? Wouldn't it also be useful when > receiving emails and verifying signatures? --auto-key-locate looks up keys by email address. It makes no sense when verifying signatures because in this case you already know the key id the signature was made with, so that there's no reason to look up the key by email address (which is ambiguous). The equivalent for automatic look-up of keys when verifying signatures is --auto-key-retrieve. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why is --auto-key-locate only for encrypting?
On 2021-09-01 at 13:50 +0200, Ingo Klöcker wrote: > On Mittwoch, 1. September 2021 07:55:21 CEST raf via Gnupg-users wrote: > > Why is the --auto-key-locate only for encrypting (says > > the gpg(1) manpage)? Wouldn't it also be useful when > > receiving emails and verifying signatures? > > --auto-key-locate looks up keys by email address. It makes no sense when > verifying signatures because in this case you already know the key id the > signature was made with, so that there's no reason to look up the key by > email > address (which is ambiguous). If you're looking up purely by key id, then you need a working global key-lookup facility. It doesn't federate. If you look up by email address, then federation becomes available and efforts such as WKD pay off. -Phil ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why is --auto-key-locate only for encrypting?
On Wed, Sep 01, 2021 at 01:50:36PM +0200, Ingo Klöcker wrote: > On Mittwoch, 1. September 2021 07:55:21 CEST raf via Gnupg-users wrote: > > Why is the --auto-key-locate only for encrypting (says > > the gpg(1) manpage)? Wouldn't it also be useful when > > receiving emails and verifying signatures? > > --auto-key-locate looks up keys by email address. It makes no sense when > verifying signatures because in this case you already know the key id the > signature was made with, so that there's no reason to look up the key by > email > address (which is ambiguous). Thanks. I don't understand why it makes no sense, but I'll take your word for it. But I can think of a reason to look up the key by email address even though you have the keyid from the signature: when the key is not on a keyserver or a WKD server, but is in a DNS OPENPGPKEY record (DANE). But perhaps that's not a thing. > The equivalent for automatic look-up of keys when verifying signatures is > --auto-key-retrieve. Thanks, but the manpage doesn't include DANE as one of the lookup methods for that option. That's what I was hoping for. Since this option does a WKD lookup if wkd is in the auto-key-locate list (and --disable-signer-uid isn't used), it seems that it would make sense to do a DANE lookup if dane is in the auto-key-locate list (and --disable-signer-uid isn't used). > Regards, > Ingo cheers, raf ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users