DANE integration for authority component

[ageis]

I don't have time to flesh this out entirely, but assuming gpgsync is the client, and there's a role for an authority which signs the list of fingerprints, then you can add some other tools to push people's public keys as DNS records to the organization's domain using DANE, a very nascent standard.

Basically given admin-level API creds to the organization's DNS (cloudflare/route53/gandi) or whatever, this tool would optionally push and synchronize DNS records containing people's latest keys. In fact, it's probably best managed as an Ansible script, or it might be a different project than GPGSync if not in scope.

[ageis]

Let"s pick this up soon. I want a PoC of RFC7929 sage and this seems like he perfect use case. It will get optional, but just for spreading awareness of the standard. Plus if your domain is signed with DNSSEC then the signed list of fingerprints are moot. :P lmk when you have a day to hack

[wiktor-k]

I would recommend taking a look at Web Key Directory that has some benefits over DNS based key discovery schemes:

1. it's easier to deploy, requires only HTTPS, that's basically free with Let's Encrypt,
2. it's encrypted and authenticated, so your queries are hidden and cannot be modified,
3. it's supported and enabled by default by GnuPG and several e-mail clients (like Enigmail).

DNS-based key lookup have very low adoption, GnuPG considers obsoleting and removing them.

See also: Web Key Directory setup guide.