Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere

John Gilmore <> Wed, 07 August 2013 01:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B58DC21F9D9C; Tue, 6 Aug 2013 18:06:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id o7zhiweaB1+J; Tue, 6 Aug 2013 18:06:34 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 8642621F9DAF; Tue, 6 Aug 2013 18:06:34 -0700 (PDT)
Received: from (localhost.localdomain []) by (8.12.9/8.12.9) with ESMTP id r7716UgN004651; Tue, 6 Aug 2013 18:06:30 -0700
Message-Id: <>
To: Phillip Hallam-Baker <>
In-reply-to: <>
References: <> <> <>
Comments: In-reply-to Phillip Hallam-Baker <> message dated "Tue, 06 Aug 2013 14:51:23 -0400."
Date: Tue, 06 Aug 2013 18:06:30 -0700
From: John Gilmore <>
X-Mailman-Approved-At: Tue, 06 Aug 2013 22:58:50 -0700
Cc: "Rick van Rein \(OpenFortress\)" <>, "" <>,
Subject: Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 07 Aug 2013 01:06:39 -0000

> For what it is worth, I agree that using the DNS to store per-user data is
> not a good approach. The DNS administration model is that it makes
> assertions about network names and not individual users. Previous attempts
> to put end users in the DNS have uniformly met with failure.
> But that does not mean that LDAP is a useful tool. LDAP has tons of
> complexity and none of it does the slightest bit of good.

The classic Internet protocol for providing per-user data is "finger",
RFC 742 from 1977.  (Note by the way the illustrious users in the
"examples" section.)  It has been updated a few times, most recently
in RFC 1288 from 1991.  It is a Draft Standard.  Many people put their
PGP public key in their .plan file for easy remote access via finger.

Finger has two drawbacks for this purpose: It is not authenticated nor
encrypted; and it is designed to be human-readable, not
machine-readable.  But a simple finger-like protocol, authenticated
and encrypted via keys anchored in DNSSEC, might not only fill the
need to obtain keys, but also offer a secured and machine-readable
replacement for the finger protocol.

> Sounds like you are proposing this.

Well, no.  That just specifies a DNS RR for finding a server that
includes X.509 stuff.  It doesn't define a protocol for getting the
stuff from that server, nor is it generic to information beyond X.509.

>> * draft-wouters-dane-openpgp-00
>> * draft-wouters-dane-otrfp-00

These actually specify how to get authenticated key material from the
DNS.  (However, they don't encrypt the DNS transaction, so the 
identity of the user being communicated with is leaked to NSA and
any other wiretappers...)