[Sks-devel] Any recommendations for recv-only keyserver setup?

sks-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sks-devel] Any recommendations for recv-only keyserver setup?

From:	Jeff Johnson
Subject:	[Sks-devel] Any recommendations for recv-only keyserver setup?
Date:	Sat, 19 Jun 2010 21:12:05 -0400

I've got a pretty obscure question in the subject line.

I've just finished up drilling keypair/sign methods into RPM and
am starting to sign all built packages automagically.

The RPM usage case is to attach a digital certificate to
every package build, thereby automagically forcing
self-certed signatures/pubkeys into all packages produced by RPM.

The model afaict is a non-repudiation signature as described
in the "Handbook of Applied Cryptography" section 13.8.2 (for reference).

There basic threat to a non-repudation signature is:

        Original signer releases the private key and claims forgery.

Well RPM is just gonna create, use and the discard the private key.
And you're unlikely to hear any claim of Forgery! from a "batch oriented"
installer that isn't permitted any dialog with a luser. ;-)

The other two means described to avoid the threat model involve
a notary, either to acquire a trusted time stamp, or for a signature/pubkey 
registrar.

So -- if I MUST set up a registry (I sure hope not) -- I'd like
to use a SKS server for the implementation.

However RPM is used _LOTS_ and there's no reason whatsoever to
distribute self-certs _EVERYWHERE_, all that's needed is a
standalone SKS server (or a private set of peers).

(aside)
I'd hate to be blamed for damage like 0xCA57AD7C described here
        
http://www.kfwebs.net/articles/article/17/GPG-mass-cleaning-and-the-PGP-Corp.-Global-Directory
Even 5 years later the 0xCA57AD7C litter is everywhere
to be seen. Perhaps its just time for SKS to filter
out expired 0xCA57AD7C signatures to reduce the size of pubkeys? But I digress 
...

But that's the line of reasoning that makes me wonder
        Is it possible to set up a SKS keyserver in recv-only mode?
so that it would receive but not send pubkeys?

Which way do pubkeys travel when gossiping? Towards the initiator
of a gossip connection would be my guess, and so a simple firewall should
be sufficient to put a SKS server into recv-only mode.

I hope my question make sense.

73 de Jeff

[Prev in Thread]

Current Thread

[Next in Thread]

[Sks-devel] Any recommendations for recv-only keyserver setup?, Jeff Johnson <=

Prev by Date: [Sks-devel] Crypto domain auction ends tonight!
Next by Date: [Sks-devel] Anyone syncing with PGP.com keyserver ?
Previous by thread: [Sks-devel] Crypto domain auction ends tonight!
Next by thread: [Sks-devel] Anyone syncing with PGP.com keyserver ?
Index(es):
- Date
- Thread