Paul Wouters <paul@xxxxxxxxx> writes: > On Wed, 23 Sep 2015, Simon Josefsson wrote: > >>> Some people disagree with you and think DNSSEC is a viable PKI for their >>> intended use. These people want to use DNSSEC. We can give those people >>> an experimental RFC with OPENPGPKEY record, or we can force them to use >>> an individual submitted draft with a TXT record stalled until expiry. >> >> Or they can use the already specified CERT record, which GnuPG supports. > > You would still need to address the key lookup mechanism. One of the > reasons CERT failed for openpgp was the lack of binding between mailbox > and DNS. You did not know where to look for the CERT record. If I understand correctly, I believe section 3 of RFC 4398 discuss this: http://tools.ietf.org/html/rfc4398#section-3 In particular section 3.3 explains how a OpenPGP key for leslie@host.example would lead to a CERT record on the leslie.host.example domain. See http://tools.ietf.org/html/rfc4398#section-3.3 >> Yes, CERT has its own share of problems, that you have explained, but I >> don't see that any of the issues you brought up with CERT (that I mostly >> agree with, FWIW) has had bearing on its deployment success or not. > > I agree. The lookup mechanism makes things like this possible: > > apt-get install hash-slinger > openpgpkey --fetch pwouters@xxxxxxxxxxxxxxxxx > > As well as running automatic encryption using the openpgpkey-milter with > postfix or sendmail. If you install openpgpkey-milter, your mail sever > will already encrypt all email sent to me. That's cool! It looks similar to GnuPG's auto-key-lookup mechanism which supports CERT records. /Simon
Attachment:
signature.asc
Description: PGP signature