Re: regular update of all keys from a keyserver

2016-10-18 Thread Martin T 
Thank you for all the replies!




Martin

On Mon, Oct 17, 2016 at 7:52 PM, Brian Minton  wrote:
>
>
> On 10/17/2016 11:41 AM, Daniel Kahn Gillmor wrote:
>> On Mon 2016-10-17 06:31:16 -0400, Martin T wrote:
>>
>>> I am aware that one can update all the keys in local-keyring from a
>>> keyserver using "gpg --refresh-keys". Are there any disadvantages to
>>> simply put this command into user crontab and execute for example once
>>> a day?
>> The only disadvantages are if you don't want to reveal the contents of
>> your keyring to the public keyservers, or to announce your presence on
>> the network.
>>
>> If you prefer to do these things in an anonymized way, you might prefer
>> a tool like parcimonie,
>
> I run a key server, which allows me to do as many key-retrieval queries
> as I like, without giving any information away to the rest of the
> world.  It also helps a little, but not completely, with the problem of
> adding keys to the keyserver network, with respect to my social
> network.  In particular, it's not easy for any keyserver to see which of
> its peers' peers a given key or set of keys, originated from.  However,
> in theory, an attacker could track the progress of a given key across
> the network of keyservers by quick querying, but it's a pretty small
> window between the introduction of keys to a single member of the pool,
> and it being shared to all the keyservers.
>
>
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: regular update of all keys from a keyserver

2016-10-17 Thread Brian Minton 


On 10/17/2016 11:41 AM, Daniel Kahn Gillmor wrote:
> On Mon 2016-10-17 06:31:16 -0400, Martin T wrote:
>
>> I am aware that one can update all the keys in local-keyring from a
>> keyserver using "gpg --refresh-keys". Are there any disadvantages to
>> simply put this command into user crontab and execute for example once
>> a day?
> The only disadvantages are if you don't want to reveal the contents of
> your keyring to the public keyservers, or to announce your presence on
> the network.
>
> If you prefer to do these things in an anonymized way, you might prefer
> a tool like parcimonie, 

I run a key server, which allows me to do as many key-retrieval queries
as I like, without giving any information away to the rest of the
world.  It also helps a little, but not completely, with the problem of
adding keys to the keyserver network, with respect to my social
network.  In particular, it's not easy for any keyserver to see which of
its peers' peers a given key or set of keys, originated from.  However, 
in theory, an attacker could track the progress of a given key across
the network of keyservers by quick querying, but it's a pretty small
window between the introduction of keys to a single member of the pool,
and it being shared to all the keyservers.





signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Fwd: Re: regular update of all keys from a keyserver

2016-10-17 Thread Stephan Beck 
I forgot to send it to the list as well...


 Forwarded Message 
Subject: Re: regular update of all keys from a keyserver
Date: Mon, 17 Oct 2016 16:20:00 +
From: Stephan Beck <st...@mailbox.org>
Reply-To: st...@mailbox.org
To: Martin T <m4rtn...@gmail.com>

Hi Martin,

Martin T:
> Hi,
> 
> I am aware that one can update all the keys in local-keyring from a
> keyserver using "gpg --refresh-keys". Are there any disadvantages to
> simply put this command into user crontab and execute for example once
> a day?

Yes. To protect you and your contacts from an eavesdropper (may it be
the ISP or someone else), you may refresh your keyring over the Tor
Network, using Parcimonie (1), which opens another circuit for every
single refreshing action (one refreshing action, one refreshed key),
thus slowly refreshing the whole keyring. Actually, it works with gpg
v1, I've never got it working with gpg2, though. If someone out there
knows how to adapt it for use with gpg2, go ahead and tell us!

Well, you don't tell us anything about your system or your gpg version,
but another way (with gpg 2.1.10 or later) is using the in-built support
for refreshing your keyring via Tor using --use-tor option.
Quote from the 2.1.10 announce mail (2):
 * dirmngr: New option --use-tor.  For full support this requires
   libassuan version 2.4.2 and a patched version of libadns
   (e.g. adns-1.4-g10-7 as used by the standard Windows installer).

If you do not use or do not want to use Tor, I'd recommend using at
least https in any case, retrieving the certificate of
sks-keyservers.netCA.pem first (3), verifying it and copying it into
your gnupg home directory, and adding it to the keyserver section in
gpg.conf.

I'd never refresh my keyring over plain http, because, yes, we "should
all have something to hide" (4), whatever the threats may be that are
already knocking on our doors and whoever might tell us that this battle
is lost or useless.

(1) https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/
(2) https://lists.gnupg.org/pipermail/gnupg-announce/2015q4/000381.html
(3) https://sks-keyservers.net/sks-keyservers.netCA.pe
(4) https://moxie.org/blog/we-should-all-have-something-to-hide/

Cheers

Stephan



0x4218732B.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: regular update of all keys from a keyserver

2016-10-17 Thread Daniel Kahn Gillmor 
On Mon 2016-10-17 06:31:16 -0400, Martin T wrote:

> I am aware that one can update all the keys in local-keyring from a
> keyserver using "gpg --refresh-keys". Are there any disadvantages to
> simply put this command into user crontab and execute for example once
> a day?

The only disadvantages are if you don't want to reveal the contents of
your keyring to the public keyservers, or to announce your presence on
the network.

If you prefer to do these things in an anonymized way, you might prefer
a tool like parcimonie, or if you're a coder (or have ways to encourage
other coders to work on things you think are interesting), you might
want to to look into ways to try to address
https://bugs.gnupg.org/gnupg/issue1827

--dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: regular update of all keys from a keyserver

2016-10-17 Thread Robert J. Hansen 
> I am aware that one can update all the keys in local-keyring from a
keyserver
> using "gpg --refresh-keys". Are there any disadvantages to simply put this
> command into user crontab and execute for example once a day?

Not that I know of.  Some people will tell you that "an attacker listening
in on your network connection could discover your social graph!", but
honestly, if people are eavesdropping on my network connection they already
have so many ways to discover my social graph that one more just doesn't
matter.  This 'problem' has always struck me as much ado about nothing much.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

regular update of all keys from a keyserver

2016-10-17 Thread Martin T 
Hi,

I am aware that one can update all the keys in local-keyring from a
keyserver using "gpg --refresh-keys". Are there any disadvantages to
simply put this command into user crontab and execute for example once
a day?


thanks,
Martin

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users