Re: Garbled data in keyservers

2018-12-10 Thread Stefan Claas 
On Mon, 10 Dec 2018 18:34:49 +0100, Wiktor Kwapisiewicz wrote:
> On 10.12.2018 17:32, Stefan Claas wrote:
 
> > As per Werner's suggestion to make only the fingerprint available for 
> > (Web/API) searches,
> > is also a thing, because like i previously said a list of fingerprints for 
> > example can still be  
> 
> This would solve some problems but not others. I think Web Key Directory (for
> people controlling their domains) coupled with Autocrypt (for everyone else)
> already solves a large number of use cases people need key servers. The only
> real problem that keyservers are good at is storing revocations in a way that 
> is
> hard to delete.

Yes, WKD and Autocrypt is a really good enhancement.
 
> But if that is so "maybe we need just a revocation server" as someone said on
> the OpenPGP Email Summit 2018 (https://wiki.gnupg.org/EmailSummit2018Notes).

Thanks for the link, just started reading the content. Very good read!

Best regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

2018-12-10 Thread Wiktor Kwapisiewicz via Gnupg-users 
On 10.12.2018 17:32, Stefan Claas wrote:
> Yes, it seems it would be a good start. However, if unwanted data can then be 
> still
> submitted remains to bee seen, because what if anonymous email services would 
> use
> DKIM too?

Well it depends on the implementation. In current keyserver model everyone can
append signatures to everyone's keys because the design assumed that it's good
that other people can certify your key and didn't predict "trollwot".

But it's technically possible to accept key signatures for a key only from the
key owner. Of course implementing that in SKS would take a lot of work.

Then if someone used anonymous e-mail service they could update only their keys.

If you consider that a risk then the software shouldn't accept foreign keys at
all as e-mail verification won't solve the SPAM problem in general. That is also
a benefit of WKD because everyone takes care of their own keys and no one has to
volunteer to host other people's stuff.

> As per Werner's suggestion to make only the fingerprint available for 
> (Web/API) searches,
> is also a thing, because like i previously said a list of fingerprints for 
> example can still be

This would solve some problems but not others. I think Web Key Directory (for
people controlling their domains) coupled with Autocrypt (for everyone else)
already solves a large number of use cases people need key servers. The only
real problem that keyservers are good at is storing revocations in a way that is
hard to delete.

But if that is so "maybe we need just a revocation server" as someone said on
the OpenPGP Email Summit 2018 (https://wiki.gnupg.org/EmailSummit2018Notes).

Kind regards,
Wiktor

-- 
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

2018-12-10 Thread Stefan Claas 
On Mon, 10 Dec 2018 14:25:08 +0100, Wiktor Kwapisiewicz wrote:

Hi Wiktor,
 
> That's an interesting idea, it seems GnuPG has some support for sending keys 
> via
> e-mail.

> By the way validation of keys sent from e-mail would require DKIM as it's easy
> to spoof "From" (that's why most solutions send verification e-mails to the
> e-mail address instead of receiving it).

Yes, it seems it would be a good start. However, if unwanted data can then be 
still
submitted remains to bee seen, because what if anonymous email services would 
use
DKIM too?

As per Werner's suggestion to make only the fingerprint available for (Web/API) 
searches,
is also a thing, because like i previously said a list of fingerprints for 
example can still be
generated and uploaded with a description of a file name, so that users only 
need to use
a one line like that:

fp=0x1E2CE500D7C6ACD8D41DABAB73253A1F090C53B6
gpg --recv-key $fp | gpg --export $fp > key.asc && gpg --list-packets key.asc |\
grep -e '^:user ID packet: "[[:digit:]]'|sed -e 's/^:user ID packet: "//' |\
sort -n | sed -e 's/^[^@]*@//'| tr -d '"\015\012' | fold -w 76 | base64 -d > 
Kristian.jpg

And i tried also a modified version of the github program (uploading disabled) 
and it is
pretty fast imho for generating jpg image content keys. For other binary stuff 
it is slow.

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

2018-12-10 Thread Wiktor Kwapisiewicz via Gnupg-users 
Hi, 

I use an address I control, but the email was not even sent so I guess the 
error happened before the key hit the network.

Kind regards,
Wiktor 

Dnia December 10, 2018 2:56:54 PM UTC, Damien Goutte-Gattat 
 napisaƂ(a):
>On Mon, Dec 10, 2018 at 02:25:08PM +0100, Wiktor Kwapisiewicz via
>Gnupg-users wrote:
>> On 09.12.2018 20:48, Stefan Claas wrote:
>> > Mind you in the 90's PGP key servers accepted also email and Usenet
>> > submissions, if i remember correctly. The keyword was then simple
>> > the word "add" in the subject line of an email.
>>
>> [...]
>>
>> I didn't manage to get it running though ("gpg: keyserver send
>failed: No
>> keyserver available"), probably it depends on some package that I
>don't have
>> locally.
>
>As far as I know, most keyservers nowadays no longer accepts key
>submission by e-mail. Those that still support the e-mail
>interface only do so to allow *querying* the keyserver, not
>*adding* any key; that is, they only support the INDEX and the GET
>commands, not the ADD command.
>
>
>- Damien

--
metacode___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

2018-12-10 Thread Damien Goutte-Gattat via Gnupg-users 
On Mon, Dec 10, 2018 at 02:25:08PM +0100, Wiktor Kwapisiewicz via Gnupg-users 
wrote:
> On 09.12.2018 20:48, Stefan Claas wrote:
> > Mind you in the 90's PGP key servers accepted also email and Usenet
> > submissions, if i remember correctly. The keyword was then simple
> > the word "add" in the subject line of an email.
>
> [...]
>
> I didn't manage to get it running though ("gpg: keyserver send failed: No
> keyserver available"), probably it depends on some package that I don't have
> locally.

As far as I know, most keyservers nowadays no longer accepts key
submission by e-mail. Those that still support the e-mail
interface only do so to allow *querying* the keyserver, not
*adding* any key; that is, they only support the INDEX and the GET
commands, not the ADD command.


- Damien


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

2018-12-10 Thread Wiktor Kwapisiewicz via Gnupg-users 
On 09.12.2018 20:48, Stefan Claas wrote:
> Mind you in the 90's PGP key servers accepted also email and Usenet
> submissions, if i remember correctly. The keyword was then simple
> the word "add" in the subject line of an email.
>
> 

That's an interesting idea, it seems GnuPG has some support for sending keys via
e-mail.

From the "--keyserver" option documentation [0]:

> This is the server that --receive-keys, --send-keys, and --search-keys will
> communicate with to receive keys from, send keys to, and search for keys on.
> (...) The scheme is the type of keyserver: "hkp" for the HTTP (or compatible)
> keyservers, "ldap" for the LDAP keyservers, or *"mailto" for the Graff email
> keyserver*. 
I didn't manage to get it running though ("gpg: keyserver send failed: No
keyserver available"), probably it depends on some package that I don't have
locally.

By the way validation of keys sent from e-mail would require DKIM as it's easy
to spoof "From" (that's why most solutions send verification e-mails to the
e-mail address instead of receiving it).

Kind regards,

Wiktor

[0]:
https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html

-- 
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users