CERT PGP Based GPG KEY Missing In TorProject.org DNS
I could not find/obtain any CERT PGP DNS Record in torproject.org's DNS answer, which can be used to verify authenticity of files released, shared and signed by you.
torproject.org website (zone/domain), is already signed with DNSSEC, and, TLSA dns record also exist, which declares to public what exact SSL cert you(TorProject.org) use & have approved.
Now you need to add you GPG KEY which you use to sign your files and share with public, so that, users/public can authenticate files, by obtaining GPG KEY from DNS record, by using their own local Full DNSSEC supported DNS Resolver/Server/Client software.
GPG KEY obtained via DNSSEC AUTHENTCATED data can be trusted at higher level, than obtain it via PGP/GPG KEYSERVER(s), as all DNS data kept in DNS Resource Records (RR), which can be authenticated/verified very very accurately.
To query DNS records via Tor-proxy, such can be done:
Get & install "socat". Create a script file to create/start a "socat" based port-forwarding tunnel, so that a DNS query can be send on port 54 and then routing/forwarding it toward the Tor's Socks5 Proxy port 9150, by using a command like below:
<table border="0" cellpadding="0" cellspacing="0" width="95%" style="border: none;"><tr><td width=8 border="0" style="border: none;"> </td><td border="1" style="border: 1px solid #d7d7d7; padding: 0.25em; background: #f7f7f7;"><tt>
@start "socat 127.0.0.1:54 127.0.0.1:9150 8.8.8.8" /D"%ProgramFiles%\socat\" socat.exe TCP4-LISTEN:54,fork SOCKS4A:127.0.0.1:8.8.8.8:53,socksport=9150
</tt></td></tr></table><br />
above command line was copied from "socat-54-to-tor-9150.cmd" file from Windows computer. Binary files of "socat" tool were kept inside C:\Program Files\socat\ folder.
DNS queries can be done ANONYMOUSLY like this:
<table border="0" cellpadding="0" cellspacing="0" width="95%" style="border: none;"><tr><td width=8 border="0" style="border: none;"> </td><td border="1" style="border: 1px solid #d7d7d7; padding: 0.25em; background: #f7f7f7;"><tt>
dig @127.0.0.1 -c in -t any -p 54 torproject.org. +dnssec +additional +vc
</tt></td></tr></table><br />
If answer have "AD" (Authenticated Data) flag and "NOERROR" status, then answer is DNSSEC authenticated.
But still possible to modify by someone in the middle.
There are other public DNS-Server(s), which supports encrypted DNS queries, and also respect user's Privacy Rights. Correct SSL certificate(cert)/key has to be obtained first, and then can be used with "socat", for creating encrypted tunnels toward such DNS-Server via Tor-proxy, and then DNS queries can be done and very accurate answer/result can be obtained/received. See more info on "socat" doc/manual, and German & Swiss Privacy Foundation's Public DNS Server, etc.
At-least 1 DNS record like below must exist:
Since Erinn Clark (erinn@torproj...org) signs binary files, a CERT GPG dns record would look like:
<table border="0" cellpadding="0" cellspacing="0" width="95%" style="border: none;"><tr><td width=8 border="0" style="border: none;"> </td><td border="1" style="border: 1px solid #d7d7d7; padding: 0.25em; background: #f7f7f7;"><tt>
erinn._pka.torproject.org. TXT
"v=pka1\;fpr=FINGERPRINT-HEX-NUMS-OF-SIGNING-GPG-KEY\;uri=https://www.torproject.org/erinn-clark-torproject.pubkey.txt"
</tt></td></tr></table><br />
or, it can also look like:
<table border="0" cellpadding="0" cellspacing="0" width="95%" style="border: none;"><tr><td width=8 border="0" style="border: none;"> </td><td border="1" style="border: 1px solid #d7d7d7; padding: 0.25em; background: #f7f7f7;"><tt>
erinn.torproject.org. CERT PGP 0 0 LONG-BASE64-ENTIRE-PGP/GPG-KEY-CODE
</tt></td></tr></table><br />
"CERT" is aka "TYPE37".
The actual "FINGERPRINT-HEX-NUMS-OF-SIGNING-GPG-KEY" code portion would look like:
8738A680B84B3031A630F2DB416F061063FEE659
The actual "LONG-BASE64-ENTIRE-PGP/GPG-KEY-CODE" code portion can be obtained by using below two commands by the TorProject.org zone/domain's actual owner/holder:
<table border="0" cellpadding="0" cellspacing="0" width="95%" style="border: none;"><tr><td width=8 border="0" style="border: none;"> </td><td border="1" style="border: 1px solid #d7d7d7; padding: 0.25em; background: #f7f7f7;"><tt>
gpg --export 63FEE659 > 63FEE659.pub.bin<br />
<br />
make-dns-cert -n erinn.torproject.org. -k 63FEE659.pub.bin
</tt></td></tr></table><br />
I/end-user would prefer to obtain the entire (master-signing or 2nd-level-signing) KEY code from "CERT PGP" record, even if it is as large as 4KB.
It is More Important to deliver correct full/ENTIRE KEY code to USERS, than, sending it via a file/url, to make sure USERS are really getting authentic entire GPG/PGP-KEY code data, and then using it to authenticate files, with lesser chance of failing points, and with lesser complexity.
end-users can do such DNS queries to view GPG related DNS entry:
dig +short erinn._pka.torproject.org. TXT
or, like this:
dig +short erinn.torproject.org. CERT
If ONLY file/URL based TXT option, is mentioned/used, THEN such sensitive FILE MUST NEED TO BE DELIVERED TO USERS OVER TLS/SSL/HTTPS ENCRYPTED secured and correct CONNECTION, between TorProject.org server and users computer, (verified by DANE).
And to be 100% SURE, that both side (TorProejct's-server & user's computer) are accurately using a CORRECT SSL/TLS cert OWNED BY TorProject.org itself, entire TLS/SSL certificate hash/checksum and its fingerprint ALSO need to be placed in DNS as well. See more info on TLSA, CERT dns-records, related documents. Again, it is more important to make sure USERS are really getting authentic files, with lesser chance of failing points, and with lesser complexity, and over correctly secured connection with correct server, so use BOTH PGP/GPG option mentioned above.
Adding both "TXT" based and "CERT PGP" based DNS entry, would be better, since your dns already has TLSA record.
TorProject has now already added their TLSA in DNS RR. :)
dnssec DANE protocol supported / built-into software like : "Extended DNSSEC Validator" firefox addon (www.os3sec.org) , "DNS-Trigger" (an "Unbound" based Full DNSSEC Supported DNS-Server/DNS-Resolver, www.nlnetlabs.nl), etc (along with "DNSSEC Validator" firefox addon www.dnssec-validator.cz) allows to obtain DNSSEC Authenticated accurate data, and then these can obtain or extract correct SSL/TLS cert hash/checksum & fingerprint from TLSA, etc DNSSEC-authenticated data, and then these can show warning message to user, if correct SSL/TLS cert is NOT used for encrypted HTTPS connection, or, if a fake/forged cert or fake server is used. Also use "Cipherfox", "Cert viwer Plus", etc firefox addons to view SSL cert details and chain, and configure those to show more info. You would also need to use either a VM based DNS-Serveer (you may use "VirtualBox", and "Tails"), or, another local computer based DNS-Server, (which are pre-configured to Transparently forward all traffic including DNS through Tor-proxy), and specify such DNS-Server inside the "Extended DNSSEC Validator" firefox addon. Also see "DNS2SOCKS".
To import entire pgp/GPG keycode from DNS , user can do one single command:
<table border="0" cellpadding="0" cellspacing="0" width="95%" style="border: none;"><tr><td width=8 border="0" style="border: none;"> </td><td border="1" style="border: 1px solid #d7d7d7; padding: 0.25em; background: #f7f7f7;"><tt>
gpg --no-default-keyring --keyring /tmp/gpg-$$ --encrypt --armor --auto-key-locate cert -r erinn@torproject.org
</tt></td></tr></table><br />
In windows, GPG software was obtained via "Cygwin", it can also be obtained from "gpg4win". And, to send GPG queries via Tor Socks5 proxy : First "Polipo" (a HTTP Proxy) tool was obtained and configured, to create a HTTP-Proxy-to-Socks5-proxy Tunnel (from HTTP Proxy port 8118 to Socks5 Proxy port 9150). See more info on "Polipo" in TorProject wiki area.
When these codes are added as command-line option, in a gpg command, then gpg query will go through Tor Socks5 proxy, (if polipo based forwarding/tunnel also exist):
<table border="0" cellpadding="0" cellspacing="0" width="95%" style="border: none;"><tr><td width=8 border="0" style="border: none;"> </td><td border="1" style="border: 1px solid #d7d7d7; padding: 0.25em; background: #f7f7f7;"><tt>
--keyserver-options no-auto-key-retrieve,no-try-dns-srv,http-proxy=http://127.0.0.1:8118 --keyserver hkps://zimmermann.mayfirst.org,hkp://pgp.surfnet.nl,hkp://2eghzlv2wwcq7u7y.onion,hkp://pool.sks-keyservers.net,hkp://subkeys.pgp.net
</tt></td></tr></table><br />
Or, end users can also do such (preferred & recommended by me) : Base64 encoded CERT PGP dns record, can also be copied/used from a DNSSEC authenticated dns query result/answer, into a text file, and then it can be decoded, or, imported into gpg directly to get full GPG KEY. See gpg "import" command section to import from file.
So, PLEASE ADD "CERT PGP" DNS RECORD IN YOUR DNS.
Thank you, -- Bright Star (Bry8Star). bry 8 st ar a.t ya hoo d.o.t c om GPG_FPR=12B7 7F2C 92BF 25C8 38C6 4D9C 8836 DBA2 576C 10EC. GPG key-ID is last 8 digit of above code.
References:
- CERT (PGP / GPG in DNS) : https://tools.ietf.org/html/rfc4398 ( it obsoletes http://www.faqs.org/rfcs/rfc2538.html )
- DANE https://tools.ietf.org/html/rfc6394
- http://www.gushi.org/make-dns-cert/HOWTO.html (old article, May 2010)
- http://www.df7cb.de/blog/2007/openpgp-dns.html (old article, 2007)
- http://www.gnupg.org/documentation/manuals/gnupg/ (newer)
- TLSA https://tools.ietf.org/html/rfc6698
- How to authenticate binaries with GPG Key : https://www.torproject.org/docs/verifying-signatures.html.en
Trac:
Username: Bry8Star