Finished PKA feature

NEWS

@@ -11,11 +11,14 @@ Noteworthy changes in version 1.4.3
       Note also that a future version of GnuPG will remove the old
       keyserver helpers altogether.
 
-    * Implemented Public Key Association (PKA) trust model option.
-      This is an optional trust model on top of the standard ones.  It
-      make use of of special DNS records and notation data to
-      associate a mail address with an OpenPGP key.  See: XXXX for a
-      description.
+    * Implemented Public Key Association (PKA) trust sub model.  This
+      is an optional trust model on top of the standard ones.  It make
+      use of special DNS records and notation data to associate a mail
+      address with an OpenPGP key. It is by default not used.  To use
+      it you need to set the new option --allow-pka-lookup and an
+      appropriate trust-model.  Also added new keyserver option
+      auto-pka-retrieve which is enabled by default but only working
+      if --allow-pka-lookup is also used.
 
     * When exporting subkeys, those specified with a key ID or
       fingerpint and the '!' suffix are now merged into one keyblock.

THANKS

@@ -33,7 +33,7 @@ Christopher Oliver	   oliver@fritz.traverse.net
 Christian Recktenwald	   chris@citecs.de
 Dan Winship                danw@helixcode.com
 Daniel Eisenbud 	   eisenbud@cs.swarthmore.edu
-Daniel Koening		   dan@mail.isis.de
+Daniel Koening		   dan@chaosdorf.de
 Daniel Resare		   daniel@resare.com
 Dany Nativel               dany@natzo.com
 Dave Dykstra		   dwd@bell-labs.com
@@ -116,6 +116,7 @@ Karl Fogel		   kfogel@guanabana.onshore.com
 Karsten Thygesen	   karthy@kom.auc.dk
 Katsuhiro Kondou	   kondou@nec.co.jp
 Kazu Yamamoto		   kazu@iijlab.net
+Kazuyoshi Kakihara         
 Keith Clayton              keith@claytons.org
 Kevin Ryde                 user42@zip.com.au
 Klaus Singvogel            ks@caldera.de

doc/ChangeLog

@@ -1,3 +1,9 @@
+2005-12-20  Werner Koch  <wk@g10code.com>
+
+	* gpg.sgml (trust-model): Document "auto" and the "pka" variants.
+	(keyserver-options): Document "auto-pka-retrieve".
+	(allow-pka-lookup): Document.
+
 2005-12-08  David Shaw  <dshaw@jabberwocky.com>
 
 	* gpg.sgml: Document --fetch-keys.

doc/DETAILS

@@ -287,6 +287,12 @@ more arguments in future versions.
 	to indicate how trustworthy the signature is.  The error token
         values are currently only emiited by gpgsm.
 
+    PKA_TRUST_GOOD <mailbox>
+    PKA_TRUST_BAD  <mailbox>
+        Depending on the outcome of the PKA check one of the above
+        status codes is emitted in addition to a TRUST_* status.
+        Without PKA info available or 
+
     SIGEXPIRED
 	This is deprecated in favor of KEYEXPIRED.
 

doc/gpg.sgml

@@ -1186,7 +1186,7 @@ recipient's or signator's key.
 </para></listitem></varlistentry>
 
 <varlistentry>
-<term>--trust-model <parameter>pgp|classic|always</parameter></term>
+<term>--trust-model <parameter>pgp|classic|direct|always</parameter></term>
 <listitem><para>
 
 Set what trust model GnuPG should follow.  The models are:
@@ -1195,7 +1195,14 @@ Set what trust model GnuPG should follow.  The models are:
 
 <varlistentry><term>pgp</term><listitem><para>
 This is the Web of Trust combined with trust signatures as used in PGP
-5.x and later.  This is the default trust model.
+5.x and later.  This is the default trust model when creating a new
+trust database.
+</para></listitem></varlistentry>
+
+<varlistentry><term>pgp+pka</term><listitem><para>
+Same as <term>pka</term> but a valid PKA will increase the trust to full.
+Note, that the option <term>--allow-pka-lookup</term> needs to be
+enabled to actually make this work.
 </para></listitem></varlistentry>
 
 <varlistentry><term>classic</term><listitem><para>
@@ -1207,6 +1214,10 @@ Key validity is set directly by the user and not calculated via the
 Web of Trust.
 </para></listitem></varlistentry>
 
+<varlistentry><term>direct+pka</term><listitem><para>
+Same as <term>direct</term> but a valid PKA will increase the trust to full.
+</para></listitem></varlistentry>
+
 <varlistentry><term>always</term><listitem><para>
 Skip key validation and assume that used keys are always fully
 trusted.  You won't use this unless you have installed some external
@@ -1215,6 +1226,18 @@ printed with signature checks when there is no evidence that the user
 ID is bound to the key.
 </para></listitem></varlistentry>
 
+<varlistentry><term>auto</term><listitem><para>
+Select the trust model depending on whatever the internal trust
+database says. This is the default model if such a database already
+exists.  Note, this won't enable the PKA sub model.
+</para></listitem></varlistentry>
+
+<varlistentry><term>auto+pka</term><listitem><para>
+Select the trust model depending on whatever the internal trust
+database says and enable the PKA sub model.
+</para></listitem></varlistentry>
+
+
 </variablelist></para></listitem></varlistentry>
 
 <varlistentry>
@@ -1223,6 +1246,15 @@ ID is bound to the key.
 Identical to `--trust-model always'.  This option is deprecated.
 </para></listitem></varlistentry>
 
+<varlistentry>
+<term>--allow-pka-lookup</term>
+<listitem><para>
+This option enables PKA lookups.  PKA is based on DNS; thus enabling
+this option may disclose information on when and what signatures are verified
+or to whom data is encrypted.  This is similar to the "web bug"
+described for the auto-key-retrieve feature.
+</para></listitem></varlistentry>
+
 
 <varlistentry>
 <term>--keyid-format <parameter>short|0xshort|long|0xlong</parameter></term>
@@ -1359,6 +1391,18 @@ on your local keyring), the operator can tell both your IP address and
 the time when you verified the signature.
 </para></listitem></varlistentry>
 
+<varlistentry>
+<term>auto-pka-retrieve</term>
+<listitem><para>
+This option enables the automatic retrieving of missing keys through
+information taken from PKA records in the DNS. Defaults to yes.
+Note, that the option <term>--allow-pka-lookup</term> needs to be
+enabled to actually make this work.  
+</para><para>
+By using this option, one may unintentionally disclose information
+similar to the one described for <term>auto-key-retrieve</term>.
+</para></listitem></varlistentry>
+
 </variablelist>
 </para></listitem></varlistentry>
 

g10/ChangeLog

@@ -1,3 +1,20 @@
+2005-12-20  Werner Koch  <wk@g10code.com>
+
+	* gpg.c: New option --allow-pka-lookup.
+	(parse_trust_model): Add "+pka" variants.
+	(main): Make KEYSERVER_AUTO_PKA_RETRIEVE teh default.
+	* options.h (opt): New fields PKA_TRUST_INCREASE and
+	ALLOW_PKA_LOOKUP.
+	* status.h (STATUS_PKA_TRUST_BAD, STATUS_PKA_TRUST_GOOD): New.
+	* pkclist.c (check_signatures_trust): Increase trust due to valid
+	PKA only if that new option has been set.  Issue new status lines.
+	* trustdb.c (init_trustdb): Print info if this option is active.
+	* getkey.c (get_pubkey_byname): Honor allow-pka-lookup.
+	* mainproc.c (pka_uri_from_sig): Ditto.
+	
+	* trustdb.c (validate_keys): Print no "ultimately trusted keys
+	found" only in non-quiet mode.
+
 2005-12-19  David Shaw  <dshaw@jabberwocky.com>
 
 	* getkey.c (merge_selfsigs_main): All primary keys can certify.
@@ -23,6 +40,9 @@
 
 2005-12-08  Werner Koch  <wk@g10code.com>
 
+	* gpg.c (main): Check for DBCS lead byte when converting the
+	homedir.  By Kazuyoshi Kakihara. Fixes PR561.
+
 	* keyserver.c (keyserver_fetch): Made strings translatable.
 
 2005-12-08  David Shaw  <dshaw@jabberwocky.com>

g10/getkey.c

@@ -914,6 +914,7 @@ get_pubkey_byname (PKT_public_key *pk,
                    include_unusable, ret_keyblock, ret_kdbhd);
   if (rc == G10ERR_NO_PUBKEY
       && !again
+      && opt.allow_pka_lookup
       && (opt.keyserver_options.options&KEYSERVER_AUTO_PKA_RETRIEVE)
       && is_valid_mailbox (name))
     {

g10/gpg.c

@@ -35,6 +35,9 @@
 #include <sys/stat.h> /* for stat() */
 #endif
 #include <fcntl.h>
+#ifdef HAVE_W32_SYSTEM
+#include <windows.h>
+#endif
 
 #define INCLUDED_BY_MAIN_MODULE 1
 #include "packet.h"
@@ -240,6 +243,7 @@ enum cmd_and_opt_values
     oAlwaysTrust,
     oTrustModel,
     oForceOwnertrust,
+    oAllowPkaLookup,
     oRunAsShmCP,
     oSetFilename,
     oForYourEyesOnly,
@@ -596,6 +600,7 @@ static ARGPARSE_OPTS opts[] = {
     { oAlwaysTrust, "always-trust", 0, "@"},
     { oTrustModel, "trust-model", 2, "@"},
     { oForceOwnertrust, "force-ownertrust", 2, "@"},
+    { oAllowPkaLookup,  "allow-pka-lookup", 0, "@" },
     { oRunAsShmCP, "run-as-shm-coprocess", 4, "@" },
     { oSetFilename, "set-filename", 2, "@" },
     { oForYourEyesOnly, "for-your-eyes-only", 0, "@" },
@@ -1442,6 +1447,7 @@ gpgconf_list (const char *configfile)
   printf ("quiet:%lu:\n",   GC_OPT_FLAG_NONE);
   printf ("keyserver:%lu:\n", GC_OPT_FLAG_NONE);
   printf ("reader-port:%lu:\n", GC_OPT_FLAG_NONE);
+  printf ("allow-pka-lookup:%lu:\n", GC_OPT_FLAG_NONE);
 }
 
 
@@ -1597,20 +1603,47 @@ collapse_args(int argc,char *argv[])
 static void
 parse_trust_model(const char *model)
 {
+  opt.pka_trust_increase = 0;
   if(ascii_strcasecmp(model,"pgp")==0)
-    opt.trust_model=TM_PGP;
+    {
+      opt.trust_model=TM_PGP;
+    }
+  else if(ascii_strcasecmp(model,"pgp+pka")==0)
+    {
+      opt.trust_model=TM_PGP;
+      opt.pka_trust_increase = 1;
+    }
   else if(ascii_strcasecmp(model,"classic")==0)
-    opt.trust_model=TM_CLASSIC;
+    {
+      opt.trust_model=TM_CLASSIC;
+    }
   else if(ascii_strcasecmp(model,"always")==0)
-    opt.trust_model=TM_ALWAYS;
+    {
+      opt.trust_model=TM_ALWAYS;
+    }
   else if(ascii_strcasecmp(model,"direct")==0)
-    opt.trust_model=TM_DIRECT;
+    {
+      opt.trust_model=TM_DIRECT;
+    }
+  else if(ascii_strcasecmp(model,"direct+pka")==0)
+    {
+      opt.trust_model=TM_DIRECT;
+      opt.pka_trust_increase = 1;
+    }
   else if(ascii_strcasecmp(model,"auto")==0)
-    opt.trust_model=TM_AUTO;
+    {
+      opt.trust_model=TM_AUTO;
+    }
+  else if(ascii_strcasecmp(model,"auto+pka")==0)
+    {
+      opt.trust_model=TM_AUTO;
+      opt.pka_trust_increase = 1;
+    }
   else
     log_error("unknown trust model `%s'\n",model);
 }
 
+
 int
 main (int argc, char **argv )
 {
@@ -1698,10 +1731,11 @@ main (int argc, char **argv )
     opt.keyserver_options.import_options=IMPORT_REPAIR_PKS_SUBKEY_BUG;
     opt.keyserver_options.export_options=EXPORT_ATTRIBUTES;
     opt.keyserver_options.options=
-      KEYSERVER_INCLUDE_SUBKEYS|KEYSERVER_INCLUDE_REVOKED|KEYSERVER_TRY_DNS_SRV|KEYSERVER_HONOR_KEYSERVER_URL;
+      KEYSERVER_INCLUDE_SUBKEYS|KEYSERVER_INCLUDE_REVOKED|KEYSERVER_TRY_DNS_SRV|KEYSERVER_HONOR_KEYSERVER_URL|KEYSERVER_AUTO_PKA_RETRIEVE;
     opt.verify_options=
       VERIFY_SHOW_POLICY_URLS|VERIFY_SHOW_STD_NOTATIONS|VERIFY_SHOW_KEYSERVER_URLS;
     opt.trust_model=TM_AUTO;
+    opt.pka_trust_increase=0;
     opt.mangle_dos_filenames=0;
     opt.min_cert_level=2;
     set_screen_dimensions();
@@ -1772,7 +1806,13 @@ main (int argc, char **argv )
         char *d, *buf = xmalloc (strlen (opt.homedir)+1);
         const char *s = opt.homedir;
         for (d=buf,s=opt.homedir; *s; s++)
+          {
             *d++ = *s == '\\'? '/': *s;
+#ifdef HAVE_W32_SYSTEM
+            if (s[1] && IsDBCSLeadByte (*s))
+              *d++ = *++s;
+#endif
+          }
         *d = 0;
         set_homedir (buf);
     }
@@ -2108,6 +2148,9 @@ main (int argc, char **argv )
 		opt.force_ownertrust=0;
 	      }
 	    break;
+          case oAllowPkaLookup:
+            opt.allow_pka_lookup = 1;
+            break;
 	  case oLoadExtension:
 #ifndef __riscos__
 #if defined(USE_DYNAMIC_LINKING) || defined(_WIN32)

g10/keyserver.c

@@ -88,7 +88,7 @@ static struct parse_options keyserver_opts[]=
     {"auto-key-retrieve",KEYSERVER_AUTO_KEY_RETRIEVE,NULL,
      N_("automatically retrieve keys when verifying signatures")},
     {"auto-pka-retrieve",KEYSERVER_AUTO_PKA_RETRIEVE,NULL,
-     NULL},
+     N_("automatically retrieve keys from DNS")},
     {"try-dns-srv",KEYSERVER_TRY_DNS_SRV,NULL,
      NULL},
     {"honor-keyserver-url",KEYSERVER_HONOR_KEYSERVER_URL,NULL,

g10/mainproc.c

@@ -1372,7 +1372,7 @@ pka_uri_from_sig (PKT_signature *sig)
       assert (!sig->pka_info);
       sig->flags.pka_tried = 1;
       sig->pka_info = get_pka_address (sig);
-      if (sig->pka_info)
+      if (sig->pka_info && opt.allow_pka_lookup)
         {
           char *uri;
 

g10/options.h

@@ -103,6 +103,8 @@ struct
       TM_CLASSIC=0, TM_PGP=1, TM_EXTERNAL=2, TM_ALWAYS, TM_DIRECT, TM_AUTO
     } trust_model;
   int force_ownertrust;
+  int pka_trust_increase;  /* Valid PKA information increases the trust. */
+  int allow_pka_lookup;    /* PKA lookups are only done if this is set. */
   enum
     {
       CO_GNUPG=0, CO_RFC2440, CO_RFC1991, CO_PGP2, CO_PGP6, CO_PGP7, CO_PGP8

g10/pkclist.c

@@ -549,12 +549,14 @@ check_signatures_trust( PKT_signature *sig )
       if ( fprlen == 20 && !memcmp (sig->pka_info->fpr, fpr, 20) )
         {
           okay = 1;
+          write_status_text (STATUS_PKA_TRUST_GOOD, sig->pka_info->email);
           log_info (_("Note: Verified signer's address is `%s'\n"),
                     sig->pka_info->email);
         }
       else
         {
           okay = 0;
+          write_status_text (STATUS_PKA_TRUST_BAD, sig->pka_info->email);
           log_info (_("Note: Signer's address `%s' "
                       "does not match DNS entry\n"), sig->pka_info->email);
         }
@@ -564,17 +566,19 @@ check_signatures_trust( PKT_signature *sig )
         case TRUST_UNKNOWN: 
         case TRUST_UNDEFINED:
         case TRUST_MARGINAL:
-          if (okay)
+          if (okay && opt.pka_trust_increase)
             {
               trustlevel = ((trustlevel & ~TRUST_MASK) | TRUST_FULLY);
-              log_info ("trustlevel adjusted to FULL due to valid PKA info\n");
+              log_info (_("trustlevel adjusted to FULL"
+                          " due to valid PKA info\n"));
             }
           /* (fall through) */
         case TRUST_FULLY:
           if (!okay)
             {
               trustlevel = ((trustlevel & ~TRUST_MASK) | TRUST_NEVER);
-              log_info ("trustlevel adjusted to NEVER due to bad PKA info\n");
+              log_info (_("trustlevel adjusted to NEVER"
+                          " due to bad PKA info\n"));
             }
           break;
         }

g10/status.c

@@ -163,6 +163,8 @@ get_status_string ( int no )
     case STATUS_SC_OP_SUCCESS  : s = "SC_OP_SUCCESS"; break;
     case STATUS_SC_OP_FAILURE  : s = "SC_OP_FAILURE"; break;
     case STATUS_BACKUP_KEY_CREATED:s="BACKUP_KEY_CREATED"; break;
+    case STATUS_PKA_TRUST_BAD  : s = "PKA_TRUST_BAD"; break;
+    case STATUS_PKA_TRUST_GOOD : s = "PKA_TRUST_GOOD"; break;
     default: s = "?"; break;
     }
   return s;

g10/status.h

@@ -115,6 +115,9 @@
 
 #define STATUS_BACKUP_KEY_CREATED 81
 
+#define STATUS_PKA_TRUST_BAD    82
+#define STATUS_PKA_TRUST_GOOD   83
+
 
 /*-- status.c --*/
 void set_status_fd ( int fd );

g10/trustdb.c

@@ -450,7 +450,12 @@ init_trustdb()
 	}
 
       if(opt.verbose)
-	log_info(_("using %s trust model\n"),trust_model_string());
+        {
+          log_info(_("using %s trust model\n"),trust_model_string());
+          if (opt.pka_trust_increase)
+            log_info(_("PKA verification is allowed to"
+                       " leverage trust to full\n"));
+        }
     }
 
   if(opt.trust_model==TM_PGP || opt.trust_model==TM_CLASSIC)
@@ -2156,7 +2161,8 @@ validate_keys (int interactive)
    * here when needed */
   if (!utk_list)
     {
-      log_info (_("no ultimately trusted keys found\n"));
+      if (!opt.quiet)
+        log_info (_("no ultimately trusted keys found\n"));
       goto leave;
     }