pka-lookups and dnssec
Werner Koch
wk at gnupg.org
Mon Dec 5 14:15:07 CET 2011
On Mon, 5 Dec 2011 13:26, gnupg at lists.grepular.com said:
> verification, but if you don't have the key already, it doesn't know the
> UID associated with the key used to sign and therefore can't do the PKA
> lookup... Is there some additional command line option that I should be
Well, PKA requires additional information in the signature:
To send this mail, Alice will first sign it using her private key.
That signature features one extra signed information for use by PKA:
The mail address from the ``From:'' line. The user IDs and mail
address as included in the key are not sufficient because it is
common to have several mail addresses in a key which might even not
match the address as used in the ``From:'' line.
Using so-called notation data (OpenPGP) or signed attributes (X.509)
this address gets signed along with the actual text of the message.
When using OpenPGP the notation for our example would be:
\begin{verbatim}
pka-address at gnupg.org=alice at example.net
\end{verbatim}
``pka-address at gnupg.org'' is the key to identify this as PKA notation
data.
With gpg you would use this option:
--sig-notation "pka-address at gnupg.org=alice at example.net"
With GPGME you use the gpgme_sig_notation_add to set such a notation.
> Also. Would it be useful to add a feature to GnuPG so it displays the
> fact that a PKA record it retrieved was DNSSEC signed, when true? Just
> for informational purposes. It strikes me as useful information to have...
It does this:
log_info (_("automatically retrieved `%s' via %s\n"),
name, mechanism);
You may want to use something like
--auto-key-locate=pka,cert,local
to define the order in which lookups are done.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list