[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pgp keys
Bill Stewart writes:
| At 11:55 AM 4/4/96 -0500, Jack P. Starrantino [email protected] wrote:
| >Is there a reliable method for obtaining the pgp public key for an
| >arbitrary email address? [....] to obtain keys I do not have.
|
| Reliable? No; not everybody follows The One True KeyDistribution Method,
| or even follows one-or-more of the popular electronic approaches,
| and not all keys that are distributed electronically are on the Internet,
| though some of them may be on intranets or fido or uucp nets.
It would be neat if individual Internet sites could run their own key
servers in a distributed framework, using whatever protocol(s) they
wanted to. Finding someone's public key shouldn't be rocket science -
if you already have their email address. Checking the signatures might
be, though ?
The pgp.net folks have established the convention of "keys.<domain
component>.pgp.net", which lends itself to a simple algorithm along the
lines of...
Email address:
[email protected]
Look for:
keys.mrrl.lut.ac.uk.pgp.net
keys.lut.ac.uk.pgp.net
keys.ac.uk.pgp.net
keys.uk.pgp.net
keys.pgp.net
I'm not clear on whether it would be friendlier on the DNS to start
with the least specific cases and move down to the most specific (i.e.
reverse the order of the steps). The latter would seem to result in
less junk (NXDOMAIN responses) being kept by DNS servers which
implement negative caching.
Keyservers might be reasonably be expected to speak a number of
protocols ? e.g. mail to "pgp-public-keys", finger, and perhaps a
dedicated key lookup protocol ?
OK so we're lacking a mechanism for indicating things like which
protocols/services a host supports, on which port numbers, etc...
Perhaps it isn't even something we should be thinking about in relation
to key servers ? In any case, lots of new DNS RRs have been proposed
which could handle the problem - but not implemented or deployed :-)
As a quick hack, I suppose the embedded URL scheme used by Netfind
could be nicked and put to use for public key servers, e.g. in
pseudo-Perl
foreach (text record at keys.<domain>.pgp.net) {
next unless /^kx-/; # only interested in kx-<URL>
s/^kx-//; # toss Key eXchanger prefix out
&do_something_with($_); # use resulting URL
}
Do people have any opinions about these ideas ? Obviously the DNS is
going to be vulnerable to spoofing, so those URLs may be dodgy. If
we're checking the signatures aggressively this needn't be a problem,
at least in relation to serving up public keys ?
If anyone knows of a forum where this stuff is being discussed, I'd
appreciate a pointer. Would be happy to set up a dedicated list if
there isn't anything already. FWIW, I don't seem to see any discussion
on cypherpunks, coderpunks, spki, ietf-pkix, ietf-asid, ietf-ids, ...
:-(
Martin