1. 20
  1. 5

    The DNS TXT records to host public keys is a fun idea, but I don’t think it should be taken seriously without DNSSEC or so.

    1. 5

      Even then, there are issues with forward secrecy. With SSH, this doesn’t matter because the public key is used only for key exchange of an ephemeral key. You can use DNS records to specify the server’s key but unless someone has captured an entire SSH session and leaked the keys then knowing that key doesn’t help with anything (if they don’t have the key then they get nothing that they didn’t get from packet capture: they know that you connected to a particular server but the capture itself knows that you connected then and at a specific time).

      For file transfer, repudiation can be more important. If someone knows your public key then they can use that to validate that an encrypted file was created by you. Whether that’s a problem depends on your threat model. It’s been a problem with DKIM because people don’t roll over their keys and so you can find a leaked email and use DKIM to validate that that it’s real.

      1. 4

        A Secure Shell fingerprint record (abbreviated as SSHFP record) is a type of resource record in the Domain Name System (DNS) which identifies SSH keys that are associated with a host name. The acquisition of an SSHFP record needs to be secured with a mechanism such as DNSSEC for a chain of trust to be established.


        1. 2

          Probably still better than GPG key servers. I’d love it if the idea caught on and had some best practices associated with it.

        2. 2

          age is pretty cool. It’s easy to write scripts with it. Since it can use ssh keys, and ssh can create signatures now, sign and encrypt are easy and totally possible without using gpg.