[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Please review OpenPGP part of RFC 2538bis
RFC 2538 is being revised to improve the details regarding OpenPGP
certificates, to promote interoperability. The point of the document
is to store OpenPGP certificates and revocation information in DNS. I
would appreciate if people here would look at the proposed update to
see if it reference RFC 2440 properly. The document is available
In particular, the part that describe what goes into the data portion
of OpenPGP CERT RRs now reads:
The PGP type indicates an OpenPGP data packet. Two uses are to
transfer public key material and revocation signatures. The data is
binary, and MUST NOT be encoded into an ASCII armor. Public keys can
use the OpenPGP public key packet (tag 6) or public subkey packet
(tag 14), as described in section 5.5 of . Revocation signatures
can use an OpenPGP signature packet with a revocation signature type,
i.e., signature type 0x20, 0x28 or 0x30, as described in section 5.2
Is this correct? Would it be useful to mention other kind of OpenPGP
data packets directly, as well?
The owner name guidelines part of the document has been extended with
the following text. To review this require some familiarity with DNS.
Applications that receive an OpenPGP packet but do not know the email
address of the sender will have difficulties guessing the correct
owner name. However, the OpenPGP packet typically contain the Key ID
of the key. Such applications can derive the owner name from the Key
ID using an Base 16 encoding . For example:
F835EDA21E94B565716F IN CERT PGP ...
B565716F IN CNAME F835EDA21E94B565716F
Again, if the same key material is stored at several owner names,
using CNAME can be used to avoid data duplication.
Further, if someone has additional thoughts on he document, now would
be a good time to discuss them.
If someone is interested in reviewing the differences in 2538bis
compared to 2538, there is some additional resources available from:
Since this work is not part of the OpenPGP WG charter, it is
presumably safest to reply to me off-list. If you feel an on-list
discussion can be tolerated, that could prove useful.