Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere

[John Gilmore <gnu@toad.com>]

> For what it is worth, I agree that using the DNS to store per-user data is
> not a good approach. The DNS administration model is that it makes
> assertions about network names and not individual users. Previous attempts
> to put end users in the DNS have uniformly met with failure.
> 
> But that does not mean that LDAP is a useful tool. LDAP has tons of
> complexity and none of it does the slightest bit of good.

The classic Internet protocol for providing per-user data is "finger",
RFC 742 from 1977.  (Note by the way the illustrious users in the
"examples" section.)  It has been updated a few times, most recently
in RFC 1288 from 1991.  It is a Draft Standard.  Many people put their
PGP public key in their .plan file for easy remote access via finger.

Finger has two drawbacks for this purpose: It is not authenticated nor
encrypted; and it is designed to be human-readable, not
machine-readable.  But a simple finger-like protocol, authenticated
and encrypted via keys anchored in DNSSEC, might not only fill the
need to obtain keys, but also offer a secured and machine-readable
replacement for the finger protocol.

> Sounds like you are proposing this.
> http://www.ietf.org/rfc/rfc4386.txt

Well, no.  That just specifies a DNS RR for finding a server that
includes X.509 stuff.  It doesn't define a protocol for getting the
stuff from that server, nor is it generic to information beyond X.509.

>> * draft-wouters-dane-openpgp-00
>> * draft-wouters-dane-otrfp-00

These actually specify how to get authenticated key material from the
DNS.  (However, they don't encrypt the DNS transaction, so the 
identity of the user being communicated with is leaked to NSA and
any other wiretappers...)

	John