[messaging] TOFU to ease PGP key discovery
tankred at whiteout.io
Tue Feb 10 02:26:31 PST 2015
> 1. Are you using the sks-keyserver server or did you roll your own HKP
> implementation. If you're using sks, can you elaborate on how you
> setup your internal infrastructure and API to the core sks-keyserver?
> If you rolled your own HKP, is there source code available? I'd love
> to find an alternative implementation for HKP that's not written in
Our key server is written in node.js, uses MongoDB and runs on AWS
Elastic Beanstalk Infrastructure
Our server code is pretty specific to our service, so I don't know if
it would make sense to open source that. Right now we are open
sourcing only the client app.
> 2. You mentioned on HN that you gossip with other keyservers. Since
> the gossip protocol is completely undocumented, do you know much about
> how it works? I've been trying to read the OCaml, but have been
> getting very lost. Hockeypuck claims they can do this, but I don't
> think it's the same gossip protocol, right?
Our "gossiping protocol" is quite simple at the moment. We didn't
implement a standard. It just act as a proxy to five common SKS
servers. This is mainly because of the lack of CORS and reliability as
mentioned in the blog post.
If we don't find a verified public key in our directory, we proxy the
following GET request:
To these five servers and return the fastest response:
These were the most reliable servers in my tests. Especially the
ubuntu key server seems to be the fastest most of the time.
> 3. When gossiping, do you accept new keys from other sources that have
> a @whiteout.io domain? If I create a public key for "John Smith
> <john.smith at whiteout.io>" and upload it to pgp.mit.edu, will that be
> synced with your database?
We don't sync. We proxy requests for fetches and uploads.
> Third, FYI, there is CORS support for sks keyservers as of 1.1.5.
> Also, many keyservers are mirrored on port 443 and using root CA
> signed certs. I created an ajax publickey.js demo using the
> https://keys.fedoraproject.org/ keyserver. You're right, though, that
> you can't just use hkps.pool.sks-keyservers.net, since the TLS
> certificate in that pool must be signed by the SKS CA (which isn't a
> root CA in pretty much every browser).
Good to know thanks!
> Thanks again!
> : https://news.ycombinator.com/item?id=9013852
> : https://hockeypuck.github.io/
> : https://diafygi.github.io/publickeyjs/
> On Mon, Feb 9, 2015 at 12:58 AM, Tankred Hase <tankred at whiteout.io> wrote:
>> we've added HKP key server support to Whiteout Wail and have written a
>> post about usability. Though I'd share it here:
>> Thanks for any feedback!
>> Whiteout Networks GmbH c/o Werk1
>> Grafinger Str. 6
>> D-81671 München
>> Geschäftsführer: Oliver Gajek
>> RG München HRB 204479
>> Messaging mailing list
>> Messaging at moderncrypto.org
Whiteout Networks GmbH c/o Werk1
Grafinger Str. 6
Geschäftsführer: Oliver Gajek
RG München HRB 204479
More information about the Messaging