search

keybase / keybase-issues

A single repo for managing publicly recognized issues with the keybase client, installer, and website.
902 stars 37 forks source link

Add support for fetching keys and performing proofs via PKA (DNS-based key lookups) #1594

Open pkirkovsky opened 9 years ago

pkirkovsky commented 9 years ago

PKA is based on TXT records that look like this: pavel._pka.kirkovsky.com and map to key emails (the @ symbol is replaced with _pka). The record itself contains the key's primary email, key fingerprint, and URL pointing to the full key.

Manually checking the record shows the following:

$ dig +short pavel._pka.kirkovsky.com TXT
"v=pka1\;fpr=4328CFD67B46A8FB32270F4F0CE4A0B83F3FC81F\;uri=https://kirkovsky.com/pavel@kirkovsky.com.asc"`

Using PKA, keys can be fetched via DNS and imported automatically:

$ echo "Secret message" | gpg --auto-key-locate pka -ear pavel@kirkovsky.com
gpg: requesting key 0x0CE4A0B83F3FC81F from https server kirkovsky.com
[...]
gpg: automatically retrieved `pavel@kirkovsky.com' via PKA
-----BEGIN PGP MESSAGE-----
[...]

If Keybase supported PKA, it could take care of public key import, email verification, DNS verification, and (possibly) web verification in one go. This method is complemented nicely by DNSSEC.

References: http://www.gushi.org/make-dns-cert/HOWTO.html https://www.df7cb.de/blog/2007/openpgp-dns.html https://keyserver.mattrude.com/guides/public-key-association/

terinjokes commented 8 years ago

:+1:

zQueal commented 8 years ago

This is really cool, but it doesn't seem to be fool proof:

λ echo "test" | gpg --auto-key-locate pka -ear pavel@kirkovsky.com
gpg: requesting key 3F3FC81F from https server kirkovsky.com
gpg: DBG: armor-keys-failed (KEY 0x4328CFD67B46A8FB32270F4F0CE4A0B83F3FC81F BEGIN
) ->0
gpg: DBG: armor-keys-failed (KEY 0x4328CFD67B46A8FB32270F4F0CE4A0B83F3FC81F FAILED 1
) ->1
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
gpg: keyserver communications error: keyserver helper internal error
gpg: keyserver communications error: General error
gpg: error retrieving `pavel@kirkovsky.com' via PKA: General error
gpg: pavel@kirkovsky.com: skipped: General error
gpg: [stdin]: encryption failed: General error
terinjokes commented 8 years ago

@zQueal it works here

zQueal commented 8 years ago

Must be my setup, let me try in a VM.

pkirkovsky commented 8 years ago

@zQueal The "keyserver helper internal error" seems odd. What options do you have for auto-key-locate in gpg.conf?

I just tested it with a fresh install and it worked fine. I'm using gpg (GnuPG/MacGPG2) 2.0.28.

zQueal commented 8 years ago

OK. I first tested this in my Windows environment, which lets face it, is pretty hacky. I've never been able to get SSL/TSL working correctly with GPG/cURL. I tried this in a VM and it still wasn't working out of the box. This was the error:

gpg: requesting key 3F3FC81F from https server kirkovsky.com
gpgkeys: protocol `https' not supported
gpg: no handler for keyserver scheme `https'
gpg: searching for names from ldap server keys.kirkovsky.com
gpg: Interrupt caught ... exiting

I updated gnupg and installed the missing gnupg-curl package and it's working just fine now:

gpg: requesting key 3F3FC81F from https server kirkovsky.com
gpg: key 3F3FC81F: public key "Pavel Kirkovsky <pavel@kirkovsky.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: automatically retrieved `pavel@kirkovsky.com' via PKA
gpg: 7E4A1AC3: There is no assurance this key belongs to the named user

pub  2048R/7E4A1AC3 2015-05-31 Pavel Kirkovsky <pavel@kirkovsky.com>
 Primary key fingerprint: 4328 CFD6 7B46 A8FB 3227  0F4F 0CE4 A0B8 3F3F C81F
      Subkey fingerprint: 12F6 8E03 5F1D 9223 1B3A  C5B3 9CB1 8B6B 7E4A 1AC3

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N)

All said and done, here's the output message:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1

hQEMA5yxi2t+ShrDAQgAh21Z+BujdCnEARH47nxYPeBPi6xoFEQ0aXlGl1iUdeqR
puGs6+PjA8Rl17Y+raxjE98s+Wy0iVr1cl48YeLNc7V687xnR5QemctJ6e/Nkq7k
dSsGTKh4uVoyHnLnwF58c9SC9MhkTOqMOZvzmGfUCqai2tpb0FVbA7cNp+1+nmAT
hPekBCRyAOs/nMfQxViDtD8W02tzOJZW2M2R8crb44/dDjBjWZQgCHYV5/ljhPOZ
wPA5FkPtHR2kaxwaF6bY4M3Xje0JsneYa57D+WTSs43v378fEQzDAiP1d4RdeF6T
yWROr1/JNgiy1xXZab7AKw3lB4/SVdj+bhVYxjFMWdJAASCmfS4Dva9MwF3/4vB8
yz8HemxAeu7upzCcsZyCiAsiPCaeu6+9NXqm0286NLuc7tY54zva14PnhyIv6XlY
JA==
=0vcE
-----END PGP MESSAGE-----

Just ensure that you can decrypt it--and it looks like it's not difficult to setup. Implementation would be pretty simply, IMO.

pkirkovsky commented 8 years ago

@zQueal Looks like it worked screen shot 2015-10-14 at 4 42 33 pm

zQueal commented 8 years ago

Just set this up, super easy and seems to be a nice way to import/validate PGP keys (two birds, one stone).

By setting the TXT record you can confirm that the person has access to DNS, and most likely owns the domain and it allows people to import your key easily (or even Keybase if you're setting up your account).

Would be nice to see a setup flow where you can create a new account, verify and import your PGP key in one stroke. (unless you wanted to upload your private key)

hjacobs commented 8 years ago

:+1: for supporting PKA, just configured my DNS too:

echo test | gpg2 --auto-key-locate pka -ea -r henning@jacobs1.de
sarnowski commented 8 years ago

:+1:

pkirkovsky commented 8 years ago

@hjacobs :sunglasses:

$ gpg2 --auto-key-locate pka -ea -r henning@jacobs1.de
gpg: requesting key 0xAD869A6F43D80A3B from https server www.jacobs1.de
gpg: key 0xAD869A6F43D80A3B: public key "Henning Jacobs <henning@jacobs1.de>" imported
mrandi commented 8 years ago

👍

ChenSun-Phys commented 1 year ago

locate-key (gpg --no-default-keyring --keyring /tmp/gpg-test --auto-key-locate pka --locate-keys name@mydomain) gives me 

gpg: error retrieving '...' via PKA: No name
gpg: error reading key: No name

The dig (dig +short name._pka.mydomain TXT) gives me 

"v=pka1; pr=58EF...; uri=https://mydomain/public_key.txt"

I tweaked with escaping ; with \;, with and without the space but with little success. Any idea what's causing the trouble? I'm using cloudflare in case it matters.

wiktor-k commented 1 year ago

@ChenSun-Phys In 2022 I'd rather recommend that you setup a Web Key Directory as PKA is basically deprecated in GnuPG:

  * gpg: The legacy key discovery method PKA is no longer supported.
    The command --print-pka-records and the PKA related import and
    export options have been removed.

Web Key Directory (WKD) has broader adoption (e.g. ProtonMail web client will use it if people are messaging you) and if you don't want to setup files on your web server you can use keys.openpgp.org as WKDaaS by setting up a single CNAME record.

ChenSun-Phys commented 1 year ago

@wiktor-k Thanks for the reply! After following the WKDaaS it passes the test

curl 'https://wkd.keys.openpgp.org/status/?domain=openpgpkey.my.domain'
CNAME lookup ok: openpgpkey.my.domain resolves to wkd.keys.openpgp.org

But gpg --locate-keys --auto-key-locate clear,nodefault,wkd name@my.domain still returns gpg: error retrieving 'name@my.domain' via WKD: No data. Any idea how I can debug it?

Edit: nvm. There was a delay. After a few minutes it works.