1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA512 |
3 |
|
4 |
On 11/15/2013 07:23 AM, Robin H. Johnson wrote: |
5 |
> On Thu, Nov 14, 2013 at 07:52:49PM +0800, Patrick Lauer wrote: |
6 |
|
7 |
.. |
8 |
|
9 |
> 9. You must make your key available in at least the following two |
10 |
> places: 9.1. Uploaded to pool.sks-keyservers.net 9.2. An |
11 |
> ASCII-armored copy at: dev.g.o:~/public_html/.gpgkey.asc |
12 |
> |
13 |
> This is because the keys themselves can be quite large, my key |
14 |
> with signatures is about 500kb. Having it in both locations |
15 |
> allows: - redundancy when the keyserver rotation is offline. - an |
16 |
> extra check that keyserver copy is not modified. |
17 |
|
18 |
I'm not entirely sure I understand the point above. OpenPGP keys are |
19 |
self-contained in terms of object security, whereby the various |
20 |
elements are signed by the master Certificate key. Any modification |
21 |
done on a keyserver would invalidate the signature and invalidate e.g. |
22 |
a UID or a subkey. |
23 |
|
24 |
One thing that could be practically done is to remove an entire |
25 |
element (e.g. a UID or a subkey), but since the keyservers are |
26 |
add-only by design (in particular to preserve revocation |
27 |
certificates), this would mean that either a non-trusted keyserver is |
28 |
used or it has been manipulated in transit. |
29 |
|
30 |
The latter can be mitigated using the HKPS protocol[0] as also |
31 |
suggested in [1]. For the former some level of trust has to be put in |
32 |
the keyserver operators of a given pool, but since the servers are |
33 |
reconciliation, and are merge only, any attack like this would need to |
34 |
simultaneously attack the 80 or so keyservers in the main pool at any |
35 |
given time (or for HKPS about 20)[2] as the client will select a |
36 |
random keyserver from a DNS round-robin for each query. An alternative |
37 |
is of course to run a local keyserver. |
38 |
|
39 |
I'm new to this list, so excuse me for not following the entire |
40 |
discussion, I've only browsed through the archives, but maybe a bit |
41 |
too quickly. |
42 |
|
43 |
An interesting point with PKI is obviously key validation. How would |
44 |
this be setup in this environment? A central "Gentoo Developer CA" or |
45 |
through some form of hierarchy with CA signing project leads that |
46 |
again validate members' keys? |
47 |
|
48 |
References: |
49 |
[0] https://sks-keyservers.net/overview-of-pools.php#pool_hkps |
50 |
[1] |
51 |
https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#consider-making-your-default-keyserver-use-a-keyse |
52 |
[2] https://sks-keyservers.net/status/ |
53 |
|
54 |
- -- |
55 |
- ---------------------------- |
56 |
Kristian Fiskerstrand |
57 |
Blog: http://blog.sumptuouscapital.com |
58 |
Twitter: @krifisk |
59 |
- ---------------------------- |
60 |
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net |
61 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
62 |
- ---------------------------- |
63 |
Corruptissima re publica plurimæ leges |
64 |
The greater the degeneration of the republic, the more of its laws |
65 |
-----BEGIN PGP SIGNATURE----- |
66 |
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ |
67 |
|
68 |
iQIcBAEBCgAGBQJShk/gAAoJEAt/i2Dj7frjGRcP/18FGQ+uraJlP5mszry3c43p |
69 |
Cdm24lLEaL+bjgjUXZkGImB+220C8fSMnwov+w/Lqqirfth4SVmeFKHdic4mNQzX |
70 |
kuk5kIFfdviCcGpXwuhmROCKz5Pz2UObQKSqpjUaci0gzDzB/8s0BM7+/EJKUxxc |
71 |
e3opxezxlyo/FHEVlIAMwxDK+whJhf7ByszztzWecnNWAKlVKKPQQD2EhWXEhXvt |
72 |
NedPVbneXVC6ViHDxSd1vPddWsR71dMR0t6WTUB7sA9m9s0AAxdsBvRLTMYhkXP7 |
73 |
uZa/L+BrUcAjW7yHjIHTRcY9Rc31HS9yIlMUu3tNQtnG6SfeEvkAYzd7NtZjx0Hx |
74 |
CEioBldThJg6hXqQttd8llSy9FhznkJju/jpkpRF65UoaCJrRFyme94EjRHRwn2F |
75 |
+EfWtdwOyn+JXq8RZvnHEC2IipT18TtZLVRrp/Qcv4I51CcG7DSnLg/0levx5nIG |
76 |
iLP4XzEU2DOxNty6Gd/Q9F2lmyICdhepyvidXyvFteNTYU1TvGEbTYjnchFaDpzQ |
77 |
lPtpHjDednRQDuU74auHkY7A/Bc2bdlQVOB2fO66FpGpj3UMS+fUNN6bjnnEmx3y |
78 |
9CVwe662b9f+Sis3utAw+VrsZatQjtqlUEZ1vQgPn2Ye9wnI8m+26Xyroz9qGLkl |
79 |
U/FXh1uG9zL6mrzWm5zc |
80 |
=fWaT |
81 |
-----END PGP SIGNATURE----- |