Re: [Sks-devel] sks-keyservers.net New HKPS subpool added

sks-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] sks-keyservers.net New HKPS subpool added

From:	Kristian Fiskerstrand
Subject:	Re: [Sks-devel] sks-keyservers.net New HKPS subpool added
Date:	Mon, 08 Oct 2012 23:01:56 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120912 Thunderbird/15.0.1

On 10/08/2012 10:49 PM, Phil Pennock wrote:
> On 2012-10-08 at 22:12 +0200, Kristian Fiskerstrand wrote:
>> Lovely! Must admit my setup is a tad more plain than that (just using
>> nginx in front of SKS) :) Will be interesting to see how that goes.
> 
> Mine too.

...

> 
> So, assuming that GnuPG is also doing the right thing with SRV-based
> lookups, I think that the certificate side of things is working.
> 

At least that is a good thing in all this :)

> Unfortunately, with an https: keyserver, GnuPG is sending a request for
> "/" instead of "/pks/lookup?..." :(
> 
> If I do:
> % unbound-control local_data
> % _pgpkey-https._tcp.hkps.pool.sks-keyservers.net SRV 10 10 443 
> sks.spodhuis.org
> ok
> 
> and specify "keyserver hkps://hkps.pool.sks-keyservers.net" in
> ~/.gnupg/gpg.conf, then I find that GnuPG has a security bug!
> 

That seems like another bug to add to the SRV port not being used for
SRV handling. Are you sending it over to gnupg-{users,devel}?

I'll have to remove the SRV record for keys.kfwebs.net for the pool to
function correctly at the moment, as this is not handled. But that bug
has already been reported upstream.

Any thoughts on how I should proceed? Should I disable the cert check in
my crawler so that all hkps servers show up for now until some more of
the server operators (presuming they want to) generate CSRs, or, given
the young nature of this pool, would it be OK to just grow organically?

-- 
----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Veni vidi visa
I came, I saw, I bought
----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An
introduction to OpenPGP security is
available in both Amazon Kindle and Paperback
format at
http://www.amazon.com/dp/B006RSG1S4/
----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, (continued)

Prev by Date: Re: [Sks-devel] sks-keyservers.net New HKPS subpool added
Next by Date: Re: [Sks-devel] sks-keyservers.net New HKPS subpool added
Previous by thread: Re: [Sks-devel] sks-keyservers.net New HKPS subpool added
Next by thread: Re: [Sks-devel] sks-keyservers.net New HKPS subpool added
Index(es):
- Date
- Thread