Mailing List Archive

Martin wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi list
>
> Which keyserver do you recommend these days?
>
> I have hkps://keys.openpgp.org in gpg.conf - but it seems that there
> are missing a lot of public keys on this server.

Hi,

good question ... I like https://keys.mailvelope.com/ best, because
it only allows publishing your pub key if you decrypt their reply
with your secret key and as bonus it keeps your collected WoT sigs,
in case you need the classical WoT signatures, or CA sigs, like from
Governikus etc.

Unfortunately gpg.conf, IIRC, allows only defining one key server and
many people still use SKS key servers.

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 2020-09-17 at 22:57 +0200, Martin wrote:
> Which keyserver do you recommend these days?

For what purpose?

For receiving updates to previously known keys, of people who care
enough about their keys to distribute their keys across multiple
keyservers instead of just going "I pushed it to the keyservers, that's
it, I don't care", hkps://keys.openpgp.org is probably the most
reasonable choice.

There's no choice for general purpose, and "running a keysigning party"
or "finding someone's key from their fingerprint" which works well
today. If publishing keys, I do recommend setting up WKD for your
domain, which helps a little. And heck, I run a finger daemon written
in Go for a true blast from the past. :)

<hkp://the.earth.li> is in the UK, run from the same University bunch of
folks as gave us PuTTY and has been around receiving keys from the SKS
keyservers via email for ages, so tends to be "fairly well populated",
so is where I try next after openpgp.org.

After that I hit old SKS keyservers which usually seem to work, whether
or not these entries are in the pools and _current_, since they'll at
least get me some of a key; the pool hostnames haven't been worth trying
the last several times I checked, too many bad servers.

hkps://keyserver.ubuntu.com
hkps://zimmermann.mayfirst.org
hkp://keys2.kfwebs.net
hkps://pgp.mit.edu

The kfwebs and pgp.mit.edu servers appear to not be working right now,
which leaves us with Ubuntu's and Dan Gillmor's (DKG's) mayfirst.org
server.

You can still look over https://sks-keyservers.net/status/ to see if
there are any working there, if the pool hostnames are broken for you at
the time you check. The status list for the servers not in the pools
will show you how far "behind" they are.

-Phil

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Le jeudi 17 septembre 2020 à 18:13 -0400, Phil Pennock via Gnupg-users
a écrit :
> If publishing keys, I do recommend setting up WKD for your
> domain, which helps a little.

What is the status of WKD now, and is it to superseed centralized key
servers ?

Franck


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> What is the status of WKD now, and is it to superseed centralized key
> servers ?

Not for folks who have their email address at the domain of an email provider,
or an organization that doesn't support WKD. So statistically, everyone but
a rounding error.

That said, for folks who run their own domain, a it seems WKD is gaining some
ground. keys.o.o has a (sort of experimental) "[WKD as a Service]" feature, and
at this point there are more than 100 domains running on it. That's not a huge
amount, assuming most of those are single-user domains, but it's something :)

- V

[WKD as a Service]: https://keys.openpgp.org/about/usage#wkd-as-a-service

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

I wasn't aware of WKD, thanks for the heads up.

Is it possible to define multiple sources of keys with WKD, for example
with a dns TXT record? The use-case would be if the main server is down,
alternative places to get it.


On Fri, Sep 18, 2020 at 12:55:45PM +0200, Vincent Breitmoser via Gnupg-users wrote:
>
> > What is the status of WKD now, and is it to superseed centralized key
> > servers ?
>
> Not for folks who have their email address at the domain of an email provider,
> or an organization that doesn't support WKD. So statistically, everyone but
> a rounding error.
>
> That said, for folks who run their own domain, a it seems WKD is gaining some
> ground. keys.o.o has a (sort of experimental) "[WKD as a Service]" feature, and
> at this point there are more than 100 domains running on it. That's not a huge
> amount, assuming most of those are single-user domains, but it's something :)
>
> - V
>
> [WKD as a Service]: https://keys.openpgp.org/about/usage#wkd-as-a-service
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

I use GPG4Win and I've noticed that "hkp://keys.gnupg.net" is not
working right. I was not getting any hits back when searching with
Kleopatra and then I tried to ping that server which returned host not
found.  So I'm also interested if there is a better choice.


On 9/17/2020 1:57 PM, Martin wrote:
> Hi list
>
> Which keyserver do you recommend these days?
>
> I have hkps://keys.openpgp.org in gpg.conf - but it seems that there
> are missing a lot of public keys on this server.
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 2020-09-18 at 10:08 +0200, Franck Routier (perso) wrote:
> Le jeudi 17 septembre 2020 à 18:13 -0400, Phil Pennock via Gnupg-users
> a écrit :
> > If publishing keys, I do recommend setting up WKD for your
> > domain, which helps a little.
>
> What is the status of WKD now, and is it to superseed centralized key
> servers ?

It's a draft spec, it's spreading a little. Federated control of your
own namespace is always good. Ultimately it's just HTTPS with a fixed
well-known layout.

kernel.org, debian.org, gentoo.org, archlinux.org -- it's spreading
amongst the Linux folks who have a central idea of what PGP keys are
supposed to exist in their domain.

Then there's exim.org and a couple of others, but I set those up and so
I can't say that this is proof of its popularity.

I think that any organization which uses PGP, including for signing
software releases, should be setting up WKD. Non-WKD is for individuals
using PGP on a more ad-hoc basis.

Self-pimping: <https://github.com/PennockTech/openpgpkey-control> has
other/standalone-update-website as a Python tool which can be integrated
into static site builds where something else manages the list of keys (I
have it in a Gulp rule for nats.io site build) and the repo itself is a
framework for managing the keys for one or more domains, so is used for
spodhuis.org, exim.org and pennock-tech.com. The repo is designed to be
easy to fork and replace the key/domain definitions so that others can
use it.

-Phil

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 2020-09-18 at 08:06 -0700, Mark wrote:
> I use GPG4Win and I've noticed that "hkp://keys.gnupg.net" is not
> working right. I was not getting any hits back when searching with
> Kleopatra and then I tried to ping that server which returned host not
> found. So I'm also interested if there is a better choice.

keys.gnupg.net is a CNAME for hkps.pool.sks-keyservers.net -- which is
now returning zero results.

The pool of SKS keyservers is Very Unhealthy. The entire keyserver
system had Known Issues but worked well enough that the volunteers who
ran it could keep it alive and improving, until it came under sustained
attack from people trying to burn it all down and push people to use
"not OpenPGP" instead (some of the funding for attack tool development
came from an org which is firmly pushing one of the modern alternative
encrypted communications tools).

There's still some keyservers, but what you see now are the red smoking
embers of what's left after everything else has been burnt down. From a
pool of around 120 servers, almost all routinely working fairly well and
being able to maintain per-continent pool aliases of servers which were
health-checked and removed if not doing well, there's now fewer than 20
servers left, from very few independent sources, and even those in the
main pool are often not doing well.

Which is why folks are struggling and trying to find something which
works well enough. There's nothing which fits all needs, but various
solutions for some scenarios. See my first reply in this thread with
suggestions of particular servers.

-Phil

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hello,

>Is it possible to define multiple sources of keys with WKD, for example
>with a dns TXT record?

Well, yes, actually. This can be done with both X509 certificates (where it is called SMIMEA) and gpg keys. Obtaining a key basically involves quering the appropriate TYPE in the DNS record (53 for SMIMEA, 61 for openpgp). An additional step is to check the authenticity of this record. All this is completely seperate from WKD though.

That's the theory. In practise, alas, bugger all's using it. It's a shame, since this would really be a big step forward. The catch here is that it needs to be supported by the mail server where the addressee has his account. Needless to mention it is hardly deployed; in Germany mail.de has it, as do a number of paid email services. Plus, of course: before this goes big, the big email clients would have to support it. Of course you can hack something together using only command line tools (I've done that), but that's not the cup of tea for 99.9% of normal email users.

Vincent Breitmoser described this in this thread eloquently as being used by effectively nobody but a rounding error. Sigh.

Andreas

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Phil,

Thanks for the explanation on what was happening. I thought something
was just not right as when I hit search it would come back in less than
a second with 0 results. It seemed to me that it didn't actually even
search through the database. Anyway now that you say there is not really
a server anymore to search it makes sense. 

I'm not familiar with the attack on it and by who so will have to google
it and see if I can learn more.

On 9/18/2020 8:32 AM, Phil Pennock wrote:
> On 2020-09-18 at 08:06 -0700, Mark wrote:
>> I use GPG4Win and I've noticed that "hkp://keys.gnupg.net" is not
>> working right. I was not getting any hits back when searching with
>> Kleopatra and then I tried to ping that server which returned host not
>> found. So I'm also interested if there is a better choice.
> keys.gnupg.net is a CNAME for hkps.pool.sks-keyservers.net -- which is
> now returning zero results.
>
> The pool of is Very Unhealthy. The entire keyserver
> system had Known Issues but worked well enough that the volunteers who
> ran it could keep it alive and improving, until it came under sustained
> attack from people trying to burn it all down and push people to use
> "not OpenPGP" instead (some of the funding for attack tool development
> came from an org which is firmly pushing one of the modern alternative
> encrypted communications tools).
>
> There's still some keyservers, but what you see now are the red smoking
> embers of what's left after everything else has been burnt down. From a
> pool of around 120 servers, almost all routinely working fairly well and
> being able to maintain per-continent pool aliases of servers which were
> health-checked and removed if not doing well, there's now fewer than 20
> servers left, from very few independent sources, and even those in the
> main pool are often not doing well.
>
> Which is why folks are struggling and trying to find something which
> works well enough. There's nothing which fits all needs, but various
> solutions for some scenarios. See my first reply in this thread with
> suggestions of particular servers.
>
> -Phil

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 2020-09-18 at 15:04 +0200, accounts-gnupg@holbrook.no wrote:
> Is it possible to define multiple sources of keys with WKD, for example
> with a dns TXT record? The use-case would be if the main server is down,
> alternative places to get it.

The SRV record approach had to be dropped because the people doing
OpenPGP in web-browsers protested hard, since browsers _still_ refuse to
implement SRV lookup. So we're stuck with an ancient model.

Currently that means "set up openpgpkey.example.org using whatever
loadbalancers and multiple A records across regions you like".

Within a few years we _might_ be able to get SRV-like distribution for
HTTPS with the proposed new `HTTPS` RR-type for DNS:
https://tools.ietf.org/html/draft-ietf-dnsop-svcb-https
but that's not something you can rely on today.

-Phil

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> keys.gnupg.net is a CNAME for hkps.pool.sks-keyservers.net -- which is
> now returning zero results.

Let me break the prose down into the simple facts:

* the "HKPS" pool is no longer actually a "pool". it is a [single server].

* the "HKP" pool still contains a few servers, but using it means *all communication happens in plain text*.

* the newest release of SKS is [1.1.6], from august 2016.

> until it came under sustained attack from people trying to burn it all down

It is true the attacks were what brought it down, but the amount of effort was not a "sustained
attack" by any measure. The invested resources are somewhere around "couple hours and $0.00".

- V

[single server]: https://sks-keyservers.net/status/ (hkps column)
[1.1.6]: https://github.com/SKS-Keyserver/sks-keyserver/commit/b1725fda5dd89343b304c2126df78ad34bef66a8

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hi


On Friday 18 September 2020 at 4:32:55 PM, in
<mid:20200918153255.GB491907@fullerene.field.pennock-tech.net>, Phil
Pennock via Gnupg-users wrote:-


> keys.gnupg.net is a CNAME for
> hkps.pool.sks-keyservers.net -- which is
> now returning zero results.


The GnuPG manual's description [0] of the Dirmngr option "--keyserver name" still ends with "If no keyserver is explicitly configured, dirmngr will use the built-in default of hkps://hkps.pool.sks-keyservers.net." Is this still true, or was the default changed?

[0] https://gnupg.org/documentation/manuals/gnupg/Dirmngr-Options.html#Dirmngr-Options

--
Best regards

MFPA <mailto:2017-r3sgs86x8e-lists-groups@riseup.net>

Ballerinas are always on their toes. We need taller ballerinas!

> It is true the attacks were what brought it down, but the amount of effort was not a "sustained
> attack" by any measure. The invested resources are somewhere around "couple hours and $0.00".

I'm not sure that's true.

The keyserver poisoning attack was demonstrated first by EFF's Micah
Lee. When he published his findings, he also published the Python
scripts necessary to execute the attack.

I don't know who the poisoner was. However, if I were to do the
poisoning attack I certainly would've begun by downloading Micah's code
and adapting it to the task. And for that reason I think it's entirely
reasonable to believe the keyserver poisoning attack was bootstrapped by
an EFF-funded research project which inappropriately released attack tools.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Robert J. Hansen wrote:

> > It is true the attacks were what brought it down, but the amount of effort was not a "sustained
> > attack" by any measure. The invested resources are somewhere around "couple hours and $0.00".
>
> I'm not sure that's true.

[...]

I think it does not matter.

Professional businesses and their customers can use the mentioned Mailvelope key server,
to protect their keys or use for anonymity purposes Hagrid, in combination with sequoia
pgp, while the geeks can use WKD.

The only thing SKS, so it seems, is currently good for is decentralized file sharing or
for chat purposes, when using SKS chat software.

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 2020-09-19 at 11:44 +0100, MFPA via Gnupg-users wrote:
> On Friday 18 September 2020 at 4:32:55 PM, in
> <mid:20200918153255.GB491907@fullerene.field.pennock-tech.net>, Phil
> Pennock via Gnupg-users wrote:-
>
>
> > keys.gnupg.net is a CNAME for
> > hkps.pool.sks-keyservers.net -- which is
> > now returning zero results.
>
>
> The GnuPG manual's description [0] of the Dirmngr option "--keyserver name" still ends with "If no keyserver is explicitly configured, dirmngr will use the built-in default of hkps://hkps.pool.sks-keyservers.net." Is this still true, or was the default changed?

The original question was:
} I use GPG4Win and I've noticed that "hkp://keys.gnupg.net" is not

so that's what I answered. keys.gnupg.net _used to be_ the default, but
it was changed and nowadays there is both a CNAME in DNS and logic in
modern GnuPG to hard-replace the hostname.

The mapping is in dirmngr/server.c:make_keyserver_item() and the default
is found via compile-time configure, which defaults to
hkps://hkps.pool.sks-keyservers.net (see configure.ac
DIRMNGR_DEFAULT_KEYSERVER).

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote in
<20200919201736.000025f5@300baud.de>:
|Robert J. Hansen wrote:
|>> It is true the attacks were what brought it down, but the amount \
|>> of effort was not a "sustained
|>> attack" by any measure. The invested resources are somewhere around \
|>> "couple hours and $0.00".
|>
|> I'm not sure that's true.
|
|[...]
|
|I think it does not matter.
|
|Professional businesses and their customers can use the mentioned Mailve\
|lope key server,
|to protect their keys or use for anonymity purposes Hagrid, in combination \
|with sequoia
|pgp, while the geeks can use WKD.
|
|The only thing SKS, so it seems, is currently good for is decentralized \
|file sharing or
|for chat purposes, when using SKS chat software.

SKS served me very well for many years, and it is a shame that
even national/related agencies with quite some funding, or
universities with that immense pool of students did not stood up
trying to keep this decade old community driven infrastructure
alive. I guess they all were eating burger, and at that level.

--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Steffen Nurpmeso wrote:

> Stefan Claas wrote in
> <20200919201736.000025f5@300baud.de>:
> |Robert J. Hansen wrote:
> |>> It is true the attacks were what brought it down, but the amount \
> |>> of effort was not a "sustained
> |>> attack" by any measure. The invested resources are somewhere around \
> |>> "couple hours and $0.00".
> |>
> |> I'm not sure that's true.
> |
> |[...]
> |
> |I think it does not matter.
> |
> |Professional businesses and their customers can use the mentioned Mailve\
> |lope key server,
> |to protect their keys or use for anonymity purposes Hagrid, in combination \
> |with sequoia
> |pgp, while the geeks can use WKD.
> |
> |The only thing SKS, so it seems, is currently good for is decentralized \
> |file sharing or
> |for chat purposes, when using SKS chat software.
>
> SKS served me very well for many years, and it is a shame that
> even national/related agencies with quite some funding, or
> universities with that immense pool of students did not stood up
> trying to keep this decade old community driven infrastructure
> alive. I guess they all were eating burger, and at that level.

Well, there is IMHO a good replacement for SKS available, called
hockeypuck and it is written in modern Golang.

The problem is that those (I don't know what to call these people
publicity) SKS key server operators have no plan.

The hockeypuck author is really fast in responding when it comes
to issues and I guess he would be quite happy to help the SKS operators
with solving issues, or listen to users if they have proposals.

The good thing about the modern programming language Golang is that
*soooooo* many (young) people are using Golang nowadays, that
it should be easy to assist the author of hockeypuck.

Regards
Stefan


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> On 19 Sep 2020, at 20:05, Stefan Claas <sac@300baud.de> wrote:
>
> Well, there is IMHO a good replacement for SKS available, called
> hockeypuck and it is written in modern Golang.

This is beside the point. SKS is both a protocol and an implementation. Hockeypuck is a reimplementation of the same protocol and is so is vulnerable to the same poisoning issues.

The problem with the SKS *protocol* is very hard to fix, because designing a universal, publicly writable datastore means solving a trilemma: censorship resistance, vandalism resistance, and decentralisation. SKS prioritises censorship resistance and decentralisation, and so is vulnerable to vandalism. Hagrid “solves” the vandalism problem by abandoning decentralisation. WKD steps outside the problem space by abandoning universality. All these are valid alternatives, but none can be called a “replacement”.

A
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Andrew Gallagher wrote:

>
> > On 19 Sep 2020, at 20:05, Stefan Claas <sac@300baud.de> wrote:
> >
> > Well, there is IMHO a good replacement for SKS available, called
> > hockeypuck and it is written in modern Golang.
>
> This is beside the point. SKS is both a protocol and an implementation. Hockeypuck is a reimplementation of the same protocol
> and is so is vulnerable to the same poisoning issues.
>
> The problem with the SKS *protocol* is very hard to fix, because designing a universal, publicly writable datastore means
> solving a trilemma: censorship resistance, vandalism resistance, and decentralisation. SKS prioritises censorship resistance
> and decentralisation, and so is vulnerable to vandalism. Hagrid “solves” the vandalism problem by abandoning
> decentralisation. WKD steps outside the problem space by abandoning universality. All these are valid alternatives, but none
> can be called a “replacement”.

*With all due respect*, the problems you mention with the SKS protocol is IMHO absolutely solvable with hockeypuck if the author
implements the same Mailvelope or Hagrid confirmation process for its users, or it would honor the SKS --no-modify flag, Werner
implemented long time ago in GnuPG. And if (former) SKS key server operators would be honest this could be solved with
hockeypuck and if not people which are using GnuPG or OpenPGP apps may wondering how it comes that a client/server model for
*security/privacy* software is from the SKS server side globally still operated, if it can not *protect* their users pub keys
adequately?

I am very sorry to say that but all arguments from former or current SKS operators do not convince me nor do they show the
OpenPGP users community willingness or advancements in this area, to be taken serious.

Best regards
Stefan


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> On 19 Sep 2020, at 21:06, Stefan Claas <sac@300baud.de> wrote:
>
> *With all due respect*, the problems you mention with the SKS protocol is IMHO absolutely solvable with hockeypuck if the author
> implements the same Mailvelope or Hagrid confirmation process for its users

If you have not yet read the mega threads from a year or two back over on the sks mailing list discussing how filtering is incompatible with open synchronisation, I suggest you do so before opining further. I really don’t have the energy to explain it again! ;-) tl;dr: if you don’t have either a central authority or an agreed, future-proof zkp system of verification (itself a Very Hard Problem) then your decentralised network goes split brain at the slightest provocation.

https://lists.nongnu.org/archive/html/sks-devel/2018-05/msg00009.html

https://lists.nongnu.org/archive/html/sks-devel/2019-02/msg00010.html

I’d also suggest reading DKG’s proposals for what *is* technically possible, as they are pretty comprehensive:

https://lists.nongnu.org/archive/html/sks-devel/2019-04/msg00002.html

Finally, I would suggest continuing any technical discussions on sks-devel rather than here as we are veering off topic.

A

Andrew Gallagher wrote:

>
> > On 19 Sep 2020, at 21:06, Stefan Claas <sac@300baud.de> wrote:
> >
> > *With all due respect*, the problems you mention with the SKS protocol is IMHO absolutely solvable with hockeypuck if the
> > author implements the same Mailvelope or Hagrid confirmation process for its users
>
> If you have not yet read the mega threads from a year or two back over on the sks mailing list discussing how filtering is
> incompatible with open synchronisation, I suggest you do so before opining further. I really don’t have the energy to explain
> it again! ;-) tl;dr: if you don’t have either a central authority or an agreed, future-proof zkp system of verification
> (itself a Very Hard Problem) then your decentralised network goes split brain at the slightest provocation.
>
> https://lists.nongnu.org/archive/html/sks-devel/2018-05/msg00009.html
>
> https://lists.nongnu.org/archive/html/sks-devel/2019-02/msg00010.html
>
> I’d also suggest reading DKG’s proposals for what *is* technically possible, as they are pretty comprehensive:
>
> https://lists.nongnu.org/archive/html/sks-devel/2019-04/msg00002.html
>
> Finally, I would suggest continuing any technical discussions on sks-devel rather than here as we are veering off topic.

I am not interested to discuss old SKS issues/proposals further on the SKS mailing list
with (former) SKS operators and only wanted to bring my POV to GnuPG users attention.

I am aware of dkg's fine draft and his other valuable contributions he made.

I stand by my points that hockeypuck can solve the issues and will respect your
wish to not further discuss technical SKS issues here on the GnuPG Mailing List.

In case dkg is reading this thread, maybe he, as highly respected community member and
skilled programmer, can discuss these things with the hockeypuck author on GitHub, in
case he has time and is willing to do so.

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hi Andrew,

On Sat, 19 Sep 2020 21:38:22 +0200,
Andrew Gallagher wrote:
> Hagrid $B!H(Bsolves$B!I(B the vandalism problem by abandoning
> decentralisation.

This is not strictly true.

When we think about updating keys, there are two types of information
that can be updated:

- Identity Information (User IDs)
- Operational Information (Revocations, Subkey Rotations, Metadata
(self-sig) updates, etc.)

Identity information in privacy sensitive, and we think people should
be able to control where their details are published, and have the
ability to retract them, if desired. This requires some type of
centralization.

Operation Information does not require the same protection, and can
and should be widely published. It would be possible to create a
network of keyservers that synchronize this type of information in a
similar way to how SKS worked. But, we know from experience with SKS
that this is not easy (the set of filters needs to be synchronized,
etc., which is a type of centralization). So far, no one has taken
the time to think through this problem, and implement a solution for
Hagrid. But, I think that we'd welcome a patch that adds such
functionality.

:) Neal

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hi


On Saturday 19 September 2020 at 7:34:13 PM, in
<mid:20200919183413.GA607461@fullerene.field.pennock-tech.net>, Phil
Pennock via Gnupg-users wrote:-


> The original question was:
> } I use GPG4Win and I've noticed that
> "hkp://keys.gnupg.net" is not

> so that's what I answered.

I asked a different but related question that occurred to me when I read in your post that hkps.pool.sks-keyservers.net "is now returning zero results". I had noticed the GnuPG manual says the default keyserver is hkps.pool.sks-keyservers.net. I was under the impression the default had been changed to the Hagrid keyserver at keys.openpgp.org after the SKS attacks, so I asked the question to this list.


> The mapping is in
> dirmngr/server.c:make_keyserver_item() and the default
> is found via compile-time configure, which defaults to
> hkps://hkps.pool.sks-keyservers.net (see configure.ac
> DIRMNGR_DEFAULT_KEYSERVER).

So we have a default keyserver that is returning zero results?

--
Best regards

MFPA <mailto:2017-r3sgs86x8e-lists-groups@riseup.net>

The more corrupt the state, the more numerous the laws. (Tacitus)