Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere

"Rick van Rein (OpenFortress)" <> Wed, 07 August 2013 06:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E9F1021E8051; Tue, 6 Aug 2013 23:31:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.354
X-Spam-Status: No, score=-0.354 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id R--3UINaY78N; Tue, 6 Aug 2013 23:31:23 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 5049321F9FBD; Tue, 6 Aug 2013 23:31:16 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.13.8/8.13.8) with ESMTP id r776V9wB073172 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 7 Aug 2013 08:31:10 +0200 (CEST) (envelope-from
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
Content-Type: text/plain; charset=us-ascii
From: "Rick van Rein (OpenFortress)" <>
In-Reply-To: <>
Date: Wed, 7 Aug 2013 08:31:08 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <>
To: Michael Richardson <>
X-Mailer: Apple Mail (2.1508)
X-Virus-Scanned: by XS4ALL Virus Scanner
X-Mailman-Approved-At: Wed, 07 Aug 2013 00:05:32 -0700
Cc:, Phillip Hallam-Baker <>, John Gilmore <>, "" <>
Subject: Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 07 Aug 2013 06:31:30 -0000


>> The classic Internet protocol for providing per-user data is "finger",
>> RFC 742 from 1977.

Love it.  My first play with redundant/reliable hosting was "fingerhosting", which
achieved 99.9999% uptime due to tripple servers of 99% each :)

>> Finger has two drawbacks for this purpose: It is not authenticated nor
>> encrypted;

Yes, so it is purely there for public data.  For such data, it's better-positioned user data than DNS.

>> and it is designed to be human-readable, not
>> machine-readable.

That ought to be good for some degree of privacy ;-) but this is why so many attempts are made to structure data in DNS but why I prefer LDAP with its large set of predefined techniques and formats -- and it's openness for DIY specs that won't clash due to the use of ASN1 OIDs.

I wouldn't mind seeing http://user@domain/ step into this cavity BTW -- HTTP must be the only protocol on the planet (well, sort of) that does not support usernames, and we are using this pattern very, very often nowadays.

>  Given IPv6, putting a unique IP
> address per hosted domain isn't so terrible, but having
>        % finger

This would be an operational impossibility I fear.  If people need to get an IPv6 address per user to be able to run finger, then no admin will support it.  "Just use WebFinger", I can hear them say.

WebFinger by the way, is too far up the stack IMHO -- it queries the .well-known directory on a webserver, fills in a pattern and does a query.  Sounds more like DNS stuff to me, and a good application for http://user@domain/ -- the other obvious beneficiary being OpenID.  This might call for a SRV record of some kind in the DNS -- or an NAPTR.

> (yes, you can finger me for keys to check this message. John convinced me it
> the utility 15 years ago.)

Wonderful :)  If there were more like you it'd be the IPv6-added-value-showcase that could help the transport concur the World ;-)