Publishing PGP Keys in DNS
Dan Mahoney has written a new overview of publishing PGP keys via DNS:
Publishing PGP keys is a pain. There are many disjoint keyservers, three or four networks of which, which do (or don’t) share information with each other. Some are corporate, some are private. And it’s a crapshoot as to whose key is going to be on which, or worse, which will have the latest copy of a person’s key.
For a long time, GPG has had a way to publish keys in DNS, but it hasn’t been well documented. This document hopes to change that.
I do not work with DNS much any more, so I have not tried it.
The PGP Global Directory Verification Key
Below is a highly abbreviated output of gpg --list-sigs for my public key, 0xE6602099, specifically the output for user identity jh@jameshoward.us:
pub 4096R/E6602099 2009-08-30
uid James Patrick Howard, II <jh@jameshoward.us>
sig 2 1 3C4A1809 2009-09-02 GSWoT - Gossamer Spider Web of Trust
sig 3 1 6126D1F5 2009-08-30 James Patrick Howard, II
sig P 65D0FD58 2009-08-30 CA Cert Signing Authority (Root CA)
sig X CA57AD7C 2009-09-03 PGP Global Directory Verification Key
sig X CA57AD7C 2009-09-16 PGP Global Directory Verification Key
sig 3 E6602099 2009-08-30 James Patrick Howard, II
One signature worth noting is the self signature from 0x6126D1F5. This offers users of my public key assurance that I approve of tying this user identity, including the email address, to me. Two others, from 0x3C4A1809 and 0x65D0FD58 are the root keys for the Gossamer Spider Web of Trust and CAcert, respectively.
But also included are three signatures from 0xCA57AD7C, the PGP Global Directory Verification Key. PGP Corporation runs a unique keyserver, that unlike others, does not retain historical data. The server will send an verification message to each email address on the key. Once an address is verified, the Global Directory records this for future use. When downloading a key later, any verified address is signed at download time by the PGP Global Directory Verification Key.
The unique aspect of this is the short time to live for these certifications. Signatures from the Global Directory are set to expire two weeks after creation, though they will be recreated the next time the key is fetched. As a result, some keys in the wild have numerous PGP Global Directory Verification Key signatures embedded. For instance, the most recent copy of the CAcert key above has 114 certifications from the PGP Global Directory included.
PGP acknowledges this method of verification has limitations. But for a first level identity check, especially when the email address is known and available, this method can provide a quick and dirty check for a valid key.
