qubes-issues icon indicating copy to clipboard operation
qubes-issues copied to clipboard
verified publisher icon QubesOS

Add OPENPGPKEY records to DNS

Open zpc0 opened this issue 1 year ago • 2 comments

The problem you're addressing (if any)

When getting Qubes related PGP public keys, people needs to verify the pubkeys manually.

The solution you'd like

Add OPENPGPKEY records to DNS.

PGP public keys can be added to DNS record. (RFC7929) Some software (including systemd) supports this record. resolvectl openpgp EMAIL-ADDRESS

DNSSEC MUST be enabled.

For reference: https://github.com/xsuchy/distribution-gpg-keys#storing-keys-in-dns

The value to a user, and who that user might be

This will enhance PGP pubkey receive experience.

Completion criteria checklist

(This section is for developer use only. Please do not modify it.)

zpc0 avatar Apr 21 '24 08:04 zpc0

RFC7929 does not remove the need for verification. You are simply handing this off to systemd. Does this not require that each Qubes key has a distinct email address?

unman avatar Apr 21 '24 11:04 unman

RFC7929 does not remove the need for verification.

Indeed. The OPENPGPKEY record simply provides another way to distribute keys. The verification depends on DNSSEC. However, I still think it is useful to provide multiple ways to distribute and verify keys.

Does this not require that each Qubes key has a distinct email address?

When adding two or more PGP keys, it seems that email addresses are required to identify the keys. Since direct email is not supported except in some use-cases (reporting security problems, etc), so non-existent email addresses will work.

zpc0 avatar Apr 21 '24 12:04 zpc0