From 2fc27c8696f5cf2ddf3212397ea49bff115d617b Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 25 Feb 2015 16:34:19 +0100 Subject: gpg: Switch to a hash and CERT record based PKA system. * common/dns-cert.c (get_dns_cert): Make r_key optional. * common/pka.c: Rewrite for the new hash based lookup. * common/t-pka.c: New. * configure.ac: Remove option --disable-dns-pka. (USE_DNS_PKA): Remove ac_define. * g10/getkey.c (parse_auto_key_locate): Always include PKA. -- Note that although PKA is now always build, it will only work if support for looking up via DNS has not been disabled. The new PKA only works with the IPGP DNS certtype and shall be used only to retrieve the fingerprint and optional the key for the first time. Due to the security problems with DNSSEC the former assumption to validate the key using DNSSEC is not anymore justified. Instead an additional layer (e.g. Trust-On-First-Use) needs to be implemented to track change to the key. Having a solid way of getting a key matching a mail address is however a must have. More work needs to go into a redefinition of the --verify-options pka-lookups and pka-trust-increase. The auto-key-locate mechanism should also be able to continue key fetching with another methods once the fingerprint has been retrieved with PKA. Signed-off-by: Werner Koch --- configure.ac | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) (limited to 'configure.ac') diff --git a/configure.ac b/configure.ac index 0d18f1997..34fffb28d 100644 --- a/configure.ac +++ b/configure.ac @@ -920,18 +920,12 @@ AC_ARG_ENABLE(dns-srv, [disable the use of DNS SRV in HKP and HTTP]), use_dns_srv=$enableval,use_dns_srv=yes) -AC_ARG_ENABLE(dns-pka, - AC_HELP_STRING([--disable-dns-pka], - [disable the use of PKA records in DNS]), - use_dns_pka=$enableval,use_dns_pka=yes) - AC_ARG_ENABLE(dns-cert, AC_HELP_STRING([--disable-dns-cert], [disable the use of CERT records in DNS]), use_dns_cert=$enableval,use_dns_cert=yes) -if test x"$use_dns_pka" = xyes || test x"$use_dns_srv" = xyes \ - || test x"$use_dns_cert" = xyes; then +if test x"$use_dns_srv" = xyes || test x"$use_dns_cert" = xyes; then _dns_save_libs=$LIBS LIBS="" # the double underscore thing is a glibc-ism? @@ -988,10 +982,6 @@ if test x"$use_dns_pka" = xyes || test x"$use_dns_srv" = xyes \ AC_DEFINE(USE_DNS_SRV,1,[define to use DNS SRV]) fi - if test x"$use_dns_pka" = xyes ; then - AC_DEFINE(USE_DNS_PKA,1,[define to use our experimental DNS PKA]) - fi - if test x"$use_dns_cert" = xyes ; then AC_DEFINE(USE_DNS_CERT,1,[define to use DNS CERT]) fi @@ -1010,16 +1000,11 @@ if test x"$use_dns_pka" = xyes || test x"$use_dns_srv" = xyes \ AC_DEFINE(USE_DNS_SRV,1) fi - if test x"$use_dns_pka" = xyes ; then - AC_DEFINE(USE_DNS_PKA,1) - fi - if test x"$use_dns_cert" = xyes ; then AC_DEFINE(USE_DNS_CERT,1,[define to use DNS CERT]) fi else use_dns_srv=no - use_dns_pka=no use_dns_cert=no fi fi -- cgit v1.2.3