Re: Service discovery (was Re: [Sks-devel] pool.sks-keyservers.net DNS u

sks-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Service discovery (was Re: [Sks-devel] pool.sks-keyservers.net DNS u

From:	David Shaw
Subject:	Re: Service discovery (was Re: [Sks-devel] pool.sks-keyservers.net DNS unresponsive?)
Date:	Mon, 6 Jul 2009 18:56:17 -0400

On Jul 6, 2009, at 3:06 PM, Daniel Kahn Gillmor wrote:

On 07/06/2009 12:04 PM, David Shaw wrote:
On the subject of the various "pool" keyserver addresses, I'mworking on
(re) adding SRV support to GPG using DNS service discovery.
Excellent news, thank you David!
Are you thinking about using simple SRV records [0], or (as your useof
the term "service discovery" suggests) the more-complex DNS-SD [1]?
DNS-SD (in conjunction with the rest of the zeroconf suite, and a
well-implemented pubring-via-HKP daemon) could make it possible to
quickly and easily share public keys and certifications betweenneighbors.

DNS-SD can work with the zeroconf and mDNS stuff, but it is its ownbeast. What I am doing should lay some groundwork if someone wants totake things a step further (find your keyserver automatically on aLAN, for example), but that's not what I'm shooting for today.


I'm aiming for two basic features:

1) A simple "keyserver sks-keyservers.net" (or whatever pool you like)should be able to balance across keyservers based on some usefulcriteria.2) Port numbers should be provided automatically, so users never needto know if a keyserver is running on 11371 or 80 (and that applies toSSL as well)


And a third, somewhat more obscure feature, is:

3) The ability to ask a domain for its keyserver, so if you aremailing address@hidden, your GPG instance can ask example.com forits keyserver(s), and then contact that keyserver. This is similar tothe convention for storing keys in a LDAP server, where "ldap://keys.$domainname" contains the keys for $domainname.

The utility of #1 and #2 are clear. The utility of #3 is less so, soit likely won't be in the first cut of this.

It could also open up concerns about the ease of spoofing keyservers,
but i think those concerns already exist on the 'net today -- using
explicitly decentralized protocols like mDNS/DNS-SD is just taking the
decentralized and unauthenticated gossiping keyservers model one step
further.

I think it is essentially as secure as things are now. We findkeyservers via DNS today, and this wouldn't change that. It'spotentially two lookups vs one, but it's still dependent on the DNSnot being spoofed.

 We rely on client-side crypto to evaluate the legitimacy of
returned signatures anyway, and that certainly wouldn't change.


Yes.

David

[Prev in Thread]

Current Thread

[Next in Thread]

[Sks-devel] pool.sks-keyservers.net DNS unresponsive?, Daniel Kahn Gillmor, 2009/07/02
- Re: [Sks-devel] pool.sks-keyservers.net DNS unresponsive?, Joseph Oreste Bruni, 2009/07/02
  - Re: [Sks-devel] pool.sks-keyservers.net DNS unresponsive?, Daniel Kahn Gillmor, 2009/07/02
- Re: [Sks-devel] pool.sks-keyservers.net DNS unresponsive?, Phil Pennock, 2009/07/02
  - Service discovery (was Re: [Sks-devel] pool.sks-keyservers.net DNS unresponsive?), David Shaw, 2009/07/06
    - Re: Service discovery (was Re: [Sks-devel] pool.sks-keyservers.net DNS unresponsive?), Daniel Kahn Gillmor, 2009/07/06
    - Re: Service discovery (was Re: [Sks-devel] pool.sks-keyservers.net DNS unresponsive?), David Shaw <=
    - Re: Service discovery (was Re: [Sks-devel] pool.sks-keyservers.net DNS unresponsive?), Daniel Kahn Gillmor, 2009/07/06

Prev by Date: Re: [Sks-devel] pgp.mit.edu upgraded to SKS
Next by Date: Re: Service discovery (was Re: [Sks-devel] pool.sks-keyservers.net DNS unresponsive?)
Previous by thread: Re: Service discovery (was Re: [Sks-devel] pool.sks-keyservers.net DNS unresponsive?)
Next by thread: Re: Service discovery (was Re: [Sks-devel] pool.sks-keyservers.net DNS unresponsive?)
Index(es):
- Date
- Thread