| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA512 |
| 3 |
|
| 4 |
On 11/15/2013 07:23 AM, Robin H. Johnson wrote: |
| 5 |
> On Thu, Nov 14, 2013 at 07:52:49PM +0800, Patrick Lauer wrote: |
| 6 |
|
| 7 |
.. |
| 8 |
|
| 9 |
> 9. You must make your key available in at least the following two |
| 10 |
> places: 9.1. Uploaded to pool.sks-keyservers.net 9.2. An |
| 11 |
> ASCII-armored copy at: dev.g.o:~/public_html/.gpgkey.asc |
| 12 |
> |
| 13 |
> This is because the keys themselves can be quite large, my key |
| 14 |
> with signatures is about 500kb. Having it in both locations |
| 15 |
> allows: - redundancy when the keyserver rotation is offline. - an |
| 16 |
> extra check that keyserver copy is not modified. |
| 17 |
|
| 18 |
I'm not entirely sure I understand the point above. OpenPGP keys are |
| 19 |
self-contained in terms of object security, whereby the various |
| 20 |
elements are signed by the master Certificate key. Any modification |
| 21 |
done on a keyserver would invalidate the signature and invalidate e.g. |
| 22 |
a UID or a subkey. |
| 23 |
|
| 24 |
One thing that could be practically done is to remove an entire |
| 25 |
element (e.g. a UID or a subkey), but since the keyservers are |
| 26 |
add-only by design (in particular to preserve revocation |
| 27 |
certificates), this would mean that either a non-trusted keyserver is |
| 28 |
used or it has been manipulated in transit. |
| 29 |
|
| 30 |
The latter can be mitigated using the HKPS protocol[0] as also |
| 31 |
suggested in [1]. For the former some level of trust has to be put in |
| 32 |
the keyserver operators of a given pool, but since the servers are |
| 33 |
reconciliation, and are merge only, any attack like this would need to |
| 34 |
simultaneously attack the 80 or so keyservers in the main pool at any |
| 35 |
given time (or for HKPS about 20)[2] as the client will select a |
| 36 |
random keyserver from a DNS round-robin for each query. An alternative |
| 37 |
is of course to run a local keyserver. |
| 38 |
|
| 39 |
I'm new to this list, so excuse me for not following the entire |
| 40 |
discussion, I've only browsed through the archives, but maybe a bit |
| 41 |
too quickly. |
| 42 |
|
| 43 |
An interesting point with PKI is obviously key validation. How would |
| 44 |
this be setup in this environment? A central "Gentoo Developer CA" or |
| 45 |
through some form of hierarchy with CA signing project leads that |
| 46 |
again validate members' keys? |
| 47 |
|
| 48 |
References: |
| 49 |
[0] https://sks-keyservers.net/overview-of-pools.php#pool_hkps |
| 50 |
[1] |
| 51 |
https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#consider-making-your-default-keyserver-use-a-keyse |
| 52 |
[2] https://sks-keyservers.net/status/ |
| 53 |
|
| 54 |
- -- |
| 55 |
- ---------------------------- |
| 56 |
Kristian Fiskerstrand |
| 57 |
Blog: http://blog.sumptuouscapital.com |
| 58 |
Twitter: @krifisk |
| 59 |
- ---------------------------- |
| 60 |
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net |
| 61 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
| 62 |
- ---------------------------- |
| 63 |
Corruptissima re publica plurimæ leges |
| 64 |
The greater the degeneration of the republic, the more of its laws |
| 65 |
-----BEGIN PGP SIGNATURE----- |
| 66 |
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ |
| 67 |
|
| 68 |
iQIcBAEBCgAGBQJShk/gAAoJEAt/i2Dj7frjGRcP/18FGQ+uraJlP5mszry3c43p |
| 69 |
Cdm24lLEaL+bjgjUXZkGImB+220C8fSMnwov+w/Lqqirfth4SVmeFKHdic4mNQzX |
| 70 |
kuk5kIFfdviCcGpXwuhmROCKz5Pz2UObQKSqpjUaci0gzDzB/8s0BM7+/EJKUxxc |
| 71 |
e3opxezxlyo/FHEVlIAMwxDK+whJhf7ByszztzWecnNWAKlVKKPQQD2EhWXEhXvt |
| 72 |
NedPVbneXVC6ViHDxSd1vPddWsR71dMR0t6WTUB7sA9m9s0AAxdsBvRLTMYhkXP7 |
| 73 |
uZa/L+BrUcAjW7yHjIHTRcY9Rc31HS9yIlMUu3tNQtnG6SfeEvkAYzd7NtZjx0Hx |
| 74 |
CEioBldThJg6hXqQttd8llSy9FhznkJju/jpkpRF65UoaCJrRFyme94EjRHRwn2F |
| 75 |
+EfWtdwOyn+JXq8RZvnHEC2IipT18TtZLVRrp/Qcv4I51CcG7DSnLg/0levx5nIG |
| 76 |
iLP4XzEU2DOxNty6Gd/Q9F2lmyICdhepyvidXyvFteNTYU1TvGEbTYjnchFaDpzQ |
| 77 |
lPtpHjDednRQDuU74auHkY7A/Bc2bdlQVOB2fO66FpGpj3UMS+fUNN6bjnnEmx3y |
| 78 |
9CVwe662b9f+Sis3utAw+VrsZatQjtqlUEZ1vQgPn2Ye9wnI8m+26Xyroz9qGLkl |
| 79 |
U/FXh1uG9zL6mrzWm5zc |
| 80 |
=fWaT |
| 81 |
-----END PGP SIGNATURE----- |
Archives