NowpPublishing fedora developer PGP keys in DNSSEC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Hi,

Fedora is probably the First to use OPENPGPKEY at a large scale.

https://tools.ietf.org/html/draft-ietf-dane-openpgpkey-01

Everyone[*] who added a GPG keyid in FAS has their key published now
using the OPENPGPKEY specification. You can obtain a key using the
openpgpkey command of the hash-slinger package:

paul@bofh:~$ openpgpkey --fetch pwouters@xxxxxxxxxxxxxxxxx
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: pwouters@xxxxxxxxxxxxxxxxx key obtained from DNS
Comment: key transfer was protected by DNSSEC
Version: GnuPG v1

[blob]

Note that during FAS processing I found out that:

1) there are many nonsense values instead of keyid's in the fas field
   (some put in their fingerprint, which is not useful without a key,
   some had multiple keyids, and one person managed to unicode kill
   python-gnupg by putting their name in there)
2) most people don't have their fedoraproject.org as uid on their key
3) a LOT of keys were expired - I still put these in the zone
4) the gpg/python-gnupg minimal export still caused some keys to be too
   big for dns. I simple removed those keys from the zone data.
5) almost all these keys are old keys of which I could forge a fake
   matching keyid and upload it to public key servers.

This last item is important because we sadly did not store the actual
public keys in FAS, but only their keyid. We should really change that.

Updating your key in fas does not yet automatically update the
OPENPGPKEY record in DNS.

If you are brave, you can install openpgpkey-milter on your mail server,
and it will start to automatically encrypt email to those
fedoraproject.org email addresses that have keys associated with them.

If you want to run this yourself in other domains, you can use the openpgpkey
command to generate these records for keys in your local gnupg keyring:

	openpgpkey --create paul@xxxxxxxxx

See further man openpgpkey

Paul
ps. thunderbird/enigmail support anyone? GSoC? :)
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux