On Sun, 2024-01-21 at 01:30 -0500, Theodore Ts'o wrote: > Unlike James, I've tried to use DANE, since about the only thing that ^ never? > has as disastrous a user experience as gpg is DNSSEC. :-) I just > manually upload keys to the kernel and Debian keyrings, and it's been > working out, apparently without much pain for either me or to those > who rely on my keys --- at least, no one as complained to me so > far.... Well the theory is sound: if the DNS is secure and trustworthy, getting the gpg key from the same domain as the email records proves the tie between the uid and the key (obviating the need for all this keysigning and web of trust). Making DNS substitute for all these stupid external CAs for web certificates as well (via DANE export of the X509 public key) is also a good idea, as is exporting the ssh host keys and things. However, having maintained DNSSEC for almost a decade now, I'm not going to pretend it's something a non-expert sysadmin should be trying: it's very particular and problems are hard to debug; you really have to be in the top tier of expert sysadmins to be successful with it. However, once it is running, bind9 now takes much of the pain out of rolling the domain keys and, if you run a dynamic domain (one that can be updated with nsupdate), you can actually give all your users scoped permission to update their own key records, so if you have an expert sysadmin on the domain, they can make DANE usable for all the non experts. I think the gpg usability problem is that I can't mark my key as being DANE available in the key itself, so gpg would just automatically check the DNS for an update and throw a warning if there was a DNS problem (but still use the cached key). The failure is the users having to figure out that my key is DANE available and then what combinatoric explosion of gpg options they actually need to update it. James