Re: New keyserver at keys.openpgp.org - what's your take?

2019-06-14 Thread Konstantin Ryabitsev 

On Fri, Jun 14, 2019 at 05:25:05PM +0300, Teemu Likonen wrote:
The current shortcoming is stripping third-party signatures. So Web 
of

Trust wouldn't work (for good reasons described in the FAQ [0]). For
some people this may be surprising.


It may turn out to be a good choice to leave other people's certificates
(third-party signatures) out. It seems to solve the storage abuse
problem and probably doesn't harm too much communities who need web of
trust. Generally web of trust works only in tight communities who can
really verify each other's keys. Such communities can easily distribute
their keys through their web site or other common resources.


This is harder than it seems, so inability to use 3rd-party signatures 
is kind of a deal-breaker. E.g. if you consider a community like Linux 
kernel, where only very few developers have @kernel.org identities, it 
would be handy to have a keyserver that did all of the following:


1. implement the regular --send-key --recv-key api
2. when accepting a --send-key, check to make sure at least one of the 
uid's matches an allow-list of identities (for example, from a dump of 
all authors/committers in linux.git)

3. perform email verification using the matching identity from #2
4. store all key data without stripping out 3rd-party signatures

I guess it would be easy enough to hack that into hagrid, but that would 
mean a hard fork and I'd avoid that at all costs.


-K

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New keyserver at keys.openpgp.org - what's your take?

2019-06-14 Thread Stefan Claas 
Michał Górny wrote:

> Given that SKS pool is entirely open, it is rather trivial for a single
> malicious entity to set multiple new keyservers up, and gain advantage
> over other servers in the pool.  In fact, this is probably easier than
> corrupting the single central server.

Fully agree. I proposed a couple of years ago to Phil Zimmermann's
Silent Circle*, in Switzerland, to run a modern key server in form
like we had with pgp.com. Never received a reply ...

*IIRC out of business and Mr. Zimmermann now works afaik for
startpage.com, in the Netherlands, and is involved in Openspace.

Regards
Stefan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New keyserver at keys.openpgp.org - what's your take?

2019-06-14 Thread Teemu Likonen 
Wiktor Kwapisiewicz [2019-06-14 11:59:16+02] wrote:

> Storing endless amounts of data without any kind of verification was a
> bad idea. Maybe SKS was designed in good old times when no-one would
> try to take advantage of it but in 2019 validating e-mail address is
> bare minimum a service such as this should do.
>
> The current shortcoming is stripping third-party signatures. So Web of
> Trust wouldn't work (for good reasons described in the FAQ [0]). For
> some people this may be surprising.

It may turn out to be a good choice to leave other people's certificates
(third-party signatures) out. It seems to solve the storage abuse
problem and probably doesn't harm too much communities who need web of
trust. Generally web of trust works only in tight communities who can
really verify each other's keys. Such communities can easily distribute
their keys through their web site or other common resources. For larger
audience it's probably enough to have an easy and automatic key
discovery and key update service, such as this keys.openpgp.org seems to
be. I think.

-- 
/// Teemu Likonen    //
// PGP: 4E1055DC84E9DFF613D78557719D69D324539450 ///


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New keyserver at keys.openpgp.org - what's your take?

2019-06-14 Thread Michał Górny 
On Fri, 2019-06-14 at 11:56 +0100, Damien Goutte-Gattat via Gnupg-users
wrote:
> Hi,
> 
> On Fri, Jun 14, 2019 at 10:12:51AM +0200, Oscar Carlsson via Gnupg-users 
> wrote:
> > I'm generally curious on your opinions on the latest new keyserver, 
> > this time running a new software than the normal keyservers.
> 
> For what it's worth, my main concern is that it is a centralized 
> service.
> 
> This puts whoever is running keys.openpgp.org in a uniquely good 
> position to do Bad Things™. Of course I don't expect they would, but the 
> point is, they could (or they could be forced to).

To be honest, I've been considering similar problems with SKS lately
and I don't really think a distributed service such as SKS is any better
in this regard.

Given that SKS pool is entirely open, it is rather trivial for a single
malicious entity to set multiple new keyservers up, and gain advantage
over other servers in the pool.  In fact, this is probably easier than
corrupting the single central server.

-- 
Best regards,
Michał Górny



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New keyserver at keys.openpgp.org - what's your take?

2019-06-14 Thread Stefan Claas 
Damien Goutte-Gattat via Gnupg-users wrote:

> Hi,
> 
> On Fri, Jun 14, 2019 at 10:12:51AM +0200, Oscar Carlsson via Gnupg-users
> wrote:
> >I'm generally curious on your opinions on the latest new keyserver, 
> >this time running a new software than the normal keyservers.
> 
> For what it's worth, my main concern is that it is a centralized 
> service.
> 
> This puts whoever is running keys.openpgp.org in a uniquely good 
> position to do Bad Things™. Of course I don't expect they would, but the 
> point is, they could (or they could be forced to).

Interesting to read young peoples thoughts. Can you give a good reason why
key servers should be a decentralized distributing medium? For Warez etc,
like p2p Networks I can understand this. 

Why not let key servers be run, like this new one, on behalf of Government
Institutions, or commercial Services etc. like S/MIME ldap Servers?

Would a dissident or other people really benefit from the old style key
server medium? I mean when third parties have them on their radar it
would not help them much, right?

The only benefit I see is that 3rd parties, not known to us, can do
"research" with a key dump, without letting us know. With a centralized
approach and run on behalf by proper authorities this would be not
possible, and if, they can do this anyways with what we have now.

Regards
Stefan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New keyserver at keys.openpgp.org - what's your take?

2019-06-14 Thread Damien Goutte-Gattat via Gnupg-users 

Hi,

On Fri, Jun 14, 2019 at 10:12:51AM +0200, Oscar Carlsson via Gnupg-users wrote:
I'm generally curious on your opinions on the latest new keyserver, 
this time running a new software than the normal keyservers.


For what it's worth, my main concern is that it is a centralized 
service.


This puts whoever is running keys.openpgp.org in a uniquely good 
position to do Bad Things™. Of course I don't expect they would, but the 
point is, they could (or they could be forced to).


That being said, I have nothing better to propose and overall I welcome 
any attempt, however imperfect, to make OpenPGP slightly easier and/or 
more comfortable to use. (And I do note that Hagrid developers "plan to 
explore options for a distributed service in the future" [1].)


Regards,

- Damien

[1] https://keys.openpgp.org/about/faq


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New keyserver at keys.openpgp.org - what's your take?

2019-06-14 Thread Andrew Gallagher 
On 14/06/2019 09:31, Teemu Likonen wrote:
> Oscar Carlsson via Gnupg-users [2019-06-14 10:12:51+02] wrote:
> 
>> I'm generally curious on your opinions on the latest new keyserver,
>> this time running a new software than the normal keyservers.
>>
>> They seem to have a different model which minimize the amount of
>> information available, to be compliant with GDPR and friends. Do you
>> think there are any downsides to this?
> 
> You should have added a link to information about this "latest new
> keyserver" and its "different model" which you are referring to. Well,
> here:
> 
> https://keys.openpgp.org/about/news#2019-06-12-launch

I think it's interesting, but it has a few shortcomings. For a start, it
only supports email userids - so it is incompatible with monkeysphere.
It's also a centralised resource, meaning it's not resilient enough for
distributing revocations, which is the main use case for SKS these days
(there are already several alternative systems for discovery).

So it's not an SKS-killer (yet).

-- 
Andrew Gallagher



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New keyserver at keys.openpgp.org - what's your take?

2019-06-14 Thread Wiktor Kwapisiewicz via Gnupg-users 

Hi Oscar,

On 14.06.2019 10:12, Oscar Carlsson via Gnupg-users wrote:
I'm generally curious on your opinions on the latest new keyserver, this 
time running a new software than the normal keyservers.


It's definitely faster and more responsive. That was my personal pain 
point when interacting with SKS. For example I'm working on a small 
thing that fetches keys from keyservers. I push my modified key, fetch 
it from SKS and... nope, no changes are visible (because of nginx 
caching). Then a different, old set of data is visible. Then timeout. 
Etc. keys.openpgp.org just works. I push data and it's available.


They seem to have a different model which minimize the amount of 
information available, to be compliant with GDPR and friends. Do you 
think there are any downsides to this?


Storing endless amounts of data without any kind of verification was a 
bad idea. Maybe SKS was designed in good old times when no-one would try 
to take advantage of it but in 2019 validating e-mail address is bare 
minimum a service such as this should do.


The current shortcoming is stripping third-party signatures. So Web of 
Trust wouldn't work (for good reasons described in the FAQ [0]). For 
some people this may be surprising.


[0]: https://keys.openpgp.org/about/faq#third-party-signatures

For the record I don't think keys.openpgp.org is in any way 
revolutionary as it is now. It's a bare minimum keyserver that OpenPGP 
needed for a long time. Fortunately the team behind it has more ideas 
that could only improve the overall image and UX of OpenPGP in the wider 
community.


Kind regards,
Wiktor

--
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New keyserver at keys.openpgp.org - what's your take?

2019-06-14 Thread Teemu Likonen 
Oscar Carlsson via Gnupg-users [2019-06-14 10:12:51+02] wrote:

> I'm generally curious on your opinions on the latest new keyserver,
> this time running a new software than the normal keyservers.
>
> They seem to have a different model which minimize the amount of
> information available, to be compliant with GDPR and friends. Do you
> think there are any downsides to this?

You should have added a link to information about this "latest new
keyserver" and its "different model" which you are referring to. Well,
here:

https://keys.openpgp.org/about/news#2019-06-12-launch

-- 
/// Teemu Likonen   - .-..    //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New keyserver at keys.openpgp.org - what's your take?

2019-06-14 Thread Oscar Carlsson via Gnupg-users 

2019-06-14 10:31 skrev Teemu Likonen:

Oscar Carlsson via Gnupg-users [2019-06-14 10:12:51+02] wrote:


I'm generally curious on your opinions on the latest new keyserver,
this time running a new software than the normal keyservers.

They seem to have a different model which minimize the amount of
information available, to be compliant with GDPR and friends. Do you
think there are any downsides to this?


You should have added a link to information about this "latest new
keyserver" and its "different model" which you are referring to. Well,
here:

https://keys.openpgp.org/about/news#2019-06-12-launch


Ah, sorry about that! And thanks for adding it for me.

I had added it to the title and didn't think of adding it to the body as 
well.



Oscar

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

New keyserver at keys.openpgp.org - what's your take?

2019-06-14 Thread Oscar Carlsson via Gnupg-users 

Hi,

I'm generally curious on your opinions on the latest new keyserver, this 
time running a new software than the normal keyservers.


They seem to have a different model which minimize the amount of 
information available, to be compliant with GDPR and friends. Do you 
think there are any downsides to this?



Regards,
Oscar

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users