A lot of questions about CERT, PKA and make-dns-cert

Dan Mahoney, System Admin danm at prime.gushi.org
Wed Oct 21 11:44:55 CEST 2009 

On Wed, 21 Oct 2009, David Shaw wrote:

> You didn't give an actual version number (run gpg2 --version), so I can only 
> make an educated guess, but I do think I see your problem.  You don't have 
> one key in your CERT - you have two (309C17C5 and 624BB249) combined into one 
> DNS record.  That doesn't work - it's a one-name-one-key mapping.  We should 
> give a better error message in this case.

Aah, yes, there we go.  Now it seems to work on all my systems.  For some 
reason I assumed --export would just pick one key to match on, just as 
--delete-keys does.  Note there's still a secondary key, hence my 
confusion.

So far, the commands for a PGP CERT are:

gpg --list-keys gushi at gushi.org
(read, get key id)
gpg2 --export --export-options export-clean > keyid.pub.bin
-or-
gpg2 --export --export-options export-minimal > keyid.pub.bin
make-dns-cert -k keyid.pub.bin -n gushi.gushi.org. > keyid.dnscert

The commands for an IPGP cert are:

gpg --list-keys you at you.com
Choose your keyid from the above.
gpg2 --export --armor keyid > keyid.pub.asc
copy the ascii file somewhere where it's url accessable.
Manually copy/paste your fingerprint into the next command:
make-dns-cert -n gushi.gushi.org. -u url format (which?) -f fingerprint >keyid.dnscert

Then, publish one (and only one) CERT record in dns per-label.  In my 
case this also means signing the zone and all that.

Finally, for an _PKA record, it involves manually:

user at domain.com becomes user._pka.domain.com.
Get your keyid as above.

1) Export to a uri as for IPGP cert, above (presumably, it can be the same 
uri).

Strip your fingerprint like so:

2) gpg --fingerprint keyid | grep "Key fingerprint" | cut -d "=" -f 2 | 
sed 's/ *//g'

The format of the text record is simple:

you._pka.domain.com.  IN  TXT "v=pka1;fpr=[#1];uri=[#2]"

Where the values are substituted from the steps above.

Publish this in DNS.

Test using: dig you._pka.domain.com TXT, see if you get a result.

Test with a GPG client that doesn't otherwise have the key:

echo "foo" | gpg --auto-key-locate pka --armor --encrypt -r you at domain.com 
and see if you get an output.

So here's the laundry list:

0) Do the above look mostly-right?
1) What are the best options for exporting certs for a CERT record?  For a 
uri-styled record?  (i.e. which signatures do you want to include?)
2) Do either the pka or the IPGP standards require the key to be in 
binary/ascii format?
3) What's the "sanctioned" list of uri formats?  Where is it defined for 
CERT?  For PKA?
4) As I'm not a c-coder, how difficult would it be to have the 
make-dns-cert output in base64 instead of binary?
5) How solid is the output of --fingerprint?  Is it likely to change 
between versions, or are the grep and sed listed likely to work most 
places?
6) How difficult would it be to get the cert-export functions right into 
gpg?
7) How difficult would it be to get make-dns-cert built-by-default?
8) (asked previously) Is it worth filing a bug on not being able to 
specify multiple keyservers for auto-key-locate?
9) (also previously) Is it worth filing a bug to not have auto-key-locate 
vomit on unsupported methods?

With the answers to the above, I'll write up a nice howto doc including 
the prereqs for all the above, the DNS requirements, and the like.

-Dan

-- 

"It's three o'clock in the morning.  It's too late for 'oops'.  After
Locate Updates, don't even go there."

-Paul Baecker
  January 3, 2k
  Indeed, sometime after 3AM

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------

More information about the Gnupg-users mailing list