On 5/27/19 4:39 AM, Phil Pennock wrote:
> hkps is limited because Kristian doesn't hand out certs to anyone who
> shows up with a new keyserver and asks; he tends to do so with people
> who've been around and part of the community, because of the fairly
> obvious problems with assuming TLS is buying you anything when entirely
> unknown-to-others folks run the servers. Kristian takes a lot of flak
> for not giving people the power they want just because they ask for it.
>
> With the various problems of SKS today, I tentatively suggest that not
> defaulting to the HKPS pool and choosing a different target for the
> keys.gnupg.net CNAME might be beneficial.
Adding some meta-info to this one. In addition to the above-mentioned
concerns about new actors (in particular those not part of strong-set),
it is also a question of capacity of the keyservers, so hkps pool is
requiring load-balanced setup with minimum of 3 nodes on modern hardware
(e.g a node today requires a minimum of 8 GiB of RAM to be responsive
during merge of certain keys). The propagation time between the servers
in the broader pool became quite big and servers dropping in-out
sporadically due to merges.
Now, this is somewhat better for the general pool since
https://dev.gnupg.org/T4175 results in retry on failover for 5xx codes,
but has caused a lot of problem reports in the past and not all distros
ship this in stable versions.
--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Corruptissima re publica plurimæ leges
The greater the degeneration of the republic, the more of its laws
> hkps is limited because Kristian doesn't hand out certs to anyone who
> shows up with a new keyserver and asks; he tends to do so with people
> who've been around and part of the community, because of the fairly
> obvious problems with assuming TLS is buying you anything when entirely
> unknown-to-others folks run the servers. Kristian takes a lot of flak
> for not giving people the power they want just because they ask for it.
>
> With the various problems of SKS today, I tentatively suggest that not
> defaulting to the HKPS pool and choosing a different target for the
> keys.gnupg.net CNAME might be beneficial.
Adding some meta-info to this one. In addition to the above-mentioned
concerns about new actors (in particular those not part of strong-set),
it is also a question of capacity of the keyservers, so hkps pool is
requiring load-balanced setup with minimum of 3 nodes on modern hardware
(e.g a node today requires a minimum of 8 GiB of RAM to be responsive
during merge of certain keys). The propagation time between the servers
in the broader pool became quite big and servers dropping in-out
sporadically due to merges.
Now, this is somewhat better for the general pool since
https://dev.gnupg.org/T4175 results in retry on failover for 5xx codes,
but has caused a lot of problem reports in the past and not all distros
ship this in stable versions.
--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Corruptissima re publica plurimæ leges
The greater the degeneration of the republic, the more of its laws
Attached Files:
-
signature.asc (0.48 KB)