On 28.1.2015 21:34, Paul Wouters wrote: > Hi, > > Fedora is probably the First to use OPENPGPKEY at a large scale. > > https://tools.ietf.org/html/draft-ietf-dane-openpgpkey-01 Paul, thank you for doing this experiment! I definitely support it. For people who do not watch dane-list closely, please keep in mind that: 1) It is just draft, nothing is set in stone. 2) The -01 version of the draft does not fully specify data format so it actually does not define an interoperable standard. For details see my previous comment: http://www.ietf.org/mail-archive/web/dane/current/msg07227.html Brave souls willing to standards-work related to PGP keyring formats are more than welcome! Petr Spacek @ Red Hat > Everyone[*] who added a GPG keyid in FAS has their key published now > using the OPENPGPKEY specification. You can obtain a key using the > openpgpkey command of the hash-slinger package: > > paul@bofh:~$ openpgpkey --fetch pwouters@xxxxxxxxxxxxxxxxx > -----BEGIN PGP PUBLIC KEY BLOCK----- > Comment: pwouters@xxxxxxxxxxxxxxxxx key obtained from DNS > Comment: key transfer was protected by DNSSEC > Version: GnuPG v1 > > [blob] > > Note that during FAS processing I found out that: > > 1) there are many nonsense values instead of keyid's in the fas field > (some put in their fingerprint, which is not useful without a key, > some had multiple keyids, and one person managed to unicode kill > python-gnupg by putting their name in there) > 2) most people don't have their fedoraproject.org as uid on their key > 3) a LOT of keys were expired - I still put these in the zone > 4) the gpg/python-gnupg minimal export still caused some keys to be too > big for dns. I simple removed those keys from the zone data. > 5) almost all these keys are old keys of which I could forge a fake > matching keyid and upload it to public key servers. > > This last item is important because we sadly did not store the actual > public keys in FAS, but only their keyid. We should really change that. > > Updating your key in fas does not yet automatically update the > OPENPGPKEY record in DNS. > > If you are brave, you can install openpgpkey-milter on your mail server, > and it will start to automatically encrypt email to those > fedoraproject.org email addresses that have keys associated with them. > > If you want to run this yourself in other domains, you can use the openpgpkey > command to generate these records for keys in your local gnupg keyring: > > openpgpkey --create paul@xxxxxxxxx > > See further man openpgpkey > > Paul > ps. thunderbird/enigmail support anyone? GSoC? -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
