[messaging] keys.gnupg.net returns random pages

Phil Pennock mcrypto-messaging+phil at spodhuis.org
Wed Oct 22 17:19:55 PDT 2014


On 2014-10-18 at 22:25 -0700, Daniel Roesler wrote:
> Howdy all, as always, if this is off topic, please direct me to the
> appropriate mailing list.
> 
> Today I randomly visited http://keys.gnupg.net/, which appears to be
> loading various compromised and broken pages[1][2], which was
> confirmed by Zaki and Rhodey[3].

If you want specific help on HKP keyservers, the normal discussion
mailing-list is <sks-devel at nongnu.org> -- this list has operators and
developers on it.

More context: keys.gnupg.net points to pool.sks-keyservers.net which is
round-robin DNS across a bunch of keyservers which exchange keys via the
SKS peering protocol, as implemented in two codebases, SKS (written in
OCaml) and Hockeypuck (written in Golang).  There is no background
checking of the people running the keyservers.

https://sks-keyservers.net/ is Kristian Fiskerstrand's site on the pool
software which he maintains -- he runs the DNS and ultimately decides
which features/versions are required to go into pool.sks-keyservers.net.
You should probably read the overview and look over the status pages.

Resources which might be of interest:

  What PGP keyservers exist:
    http://people.spodhuis.org/phil.pennock/pgp-keyservers
  What's involved in running an SKS keyserver:
    https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering
  SKS mailing-list:
    https://lists.nongnu.org/mailman/listinfo/sks-devel
  Me writing on the threat model of PGP keyservers:
    http://lists.gnu.org/archive/html/sks-devel/2014-08/msg00054.html

> keys.gnupg.net is the default keyserver for which GPG on my Xubuntu
> 14.04 sends and receives keys, so I'd presume this is not expected
> behavior.

The security model of PGP is based around signatures on keys, not upon
the transport or origin of the keys.

> What can we do to make keys.gnupg.net switch to https or at least make
> things more stable? With all the discussion about PKI on this list, I
> figure there's bound to be some good ideas.

Look through the sks-devel list archives.

-Phil


More information about the Messaging mailing list