In message <87d1x8ra6a.fsf@xxxxxxxxxxxxxxxxxxx>, Simon Josefsson writes: > --=-=-= > Content-Type: text/plain > > Paul Wouters <paul@xxxxxxxxx> writes: > > > On Wed, 23 Sep 2015, Simon Josefsson wrote: > > > >>> Some people disagree with you and think DNSSEC is a viable PKI for their > >>> intended use. These people want to use DNSSEC. We can give those people > >>> an experimental RFC with OPENPGPKEY record, or we can force them to use > >>> an individual submitted draft with a TXT record stalled until expiry. > >> > >> Or they can use the already specified CERT record, which GnuPG supports. > > > > You would still need to address the key lookup mechanism. One of the > > reasons CERT failed for openpgp was the lack of binding between mailbox > > and DNS. You did not know where to look for the CERT record. > > If I understand correctly, I believe section 3 of RFC 4398 discuss this: > http://tools.ietf.org/html/rfc4398#section-3 > > In particular section 3.3 explains how a OpenPGP key for > leslie@host.example would lead to a CERT record on the > leslie.host.example domain. See > http://tools.ietf.org/html/rfc4398#section-3.3 Which is very much part of the problem. RFC 103[45] have mbox names which unfortunately causes namespace collisions. Usernames and hostnames shouldn't be in the same namespace. RFC 4398 continues to have that problem. This draft and the s/mime draft address that issue moving the looked up name out of the valid hostname namespace. > >> Yes, CERT has its own share of problems, that you have explained, but I > >> don't see that any of the issues you brought up with CERT (that I mostly > >> agree with, FWIW) has had bearing on its deployment success or not. > > > > I agree. The lookup mechanism makes things like this possible: > > > > apt-get install hash-slinger > > openpgpkey --fetch pwouters@xxxxxxxxxxxxxxxxx > > > > As well as running automatic encryption using the openpgpkey-milter with > > postfix or sendmail. If you install openpgpkey-milter, your mail sever > > will already encrypt all email sent to me. > > That's cool! > > It looks similar to GnuPG's auto-key-lookup mechanism which supports > CERT records. > > /Simon > > --=-=-= > Content-Type: application/pgp-signature; name="signature.asc" > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQEcBAEBCAAGBQJWAzS9AAoJEIYLf7sy+BGd/7YIAIi/TxoHK9qEUPKdu33DocAu > dWNa4WgN8hbeSRZ9v+w+ePACY6av++rfDFR+eXLWFjWKZCOD8/3P88cWh2qZydZ2 > l40TntWjuvkSgeXtpCeuDRTHyg3pD3bmx5pRUW7R+CMR3FE/CgK/BXBLRZDasqqM > 2/ebSZSZdC2hwvN5ShVqXuwpuZtj/CHxqjfnUG5J3d65kgeoLN5rDZg/iYZ1egRG > szGoGUI1SnljVMFUtIBxafSofgdisE8xINoJYs4TlKmuwz7dfnVUIg59AYu/FWss > UXp+YdD0hAcbvyTCHNGW6OYVH9xONBvukYQCWZwDCXISHH/ravUk3PV5KGUYguc= > =5uhn > -----END PGP SIGNATURE----- > --=-=-=-- > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx