Re: regular update of all keys from a keyserver
Thank you for all the replies! Martin On Mon, Oct 17, 2016 at 7:52 PM, Brian Mintonwrote: > > > On 10/17/2016 11:41 AM, Daniel Kahn Gillmor wrote: >> On Mon 2016-10-17 06:31:16 -0400, Martin T wrote: >> >>> I am aware that one can update all the keys in local-keyring from a >>> keyserver using "gpg --refresh-keys". Are there any disadvantages to >>> simply put this command into user crontab and execute for example once >>> a day? >> The only disadvantages are if you don't want to reveal the contents of >> your keyring to the public keyservers, or to announce your presence on >> the network. >> >> If you prefer to do these things in an anonymized way, you might prefer >> a tool like parcimonie, > > I run a key server, which allows me to do as many key-retrieval queries > as I like, without giving any information away to the rest of the > world. It also helps a little, but not completely, with the problem of > adding keys to the keyserver network, with respect to my social > network. In particular, it's not easy for any keyserver to see which of > its peers' peers a given key or set of keys, originated from. However, > in theory, an attacker could track the progress of a given key across > the network of keyservers by quick querying, but it's a pretty small > window between the introduction of keys to a single member of the pool, > and it being shared to all the keyservers. > > > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: regular update of all keys from a keyserver
On 10/17/2016 11:41 AM, Daniel Kahn Gillmor wrote: > On Mon 2016-10-17 06:31:16 -0400, Martin T wrote: > >> I am aware that one can update all the keys in local-keyring from a >> keyserver using "gpg --refresh-keys". Are there any disadvantages to >> simply put this command into user crontab and execute for example once >> a day? > The only disadvantages are if you don't want to reveal the contents of > your keyring to the public keyservers, or to announce your presence on > the network. > > If you prefer to do these things in an anonymized way, you might prefer > a tool like parcimonie, I run a key server, which allows me to do as many key-retrieval queries as I like, without giving any information away to the rest of the world. It also helps a little, but not completely, with the problem of adding keys to the keyserver network, with respect to my social network. In particular, it's not easy for any keyserver to see which of its peers' peers a given key or set of keys, originated from. However, in theory, an attacker could track the progress of a given key across the network of keyservers by quick querying, but it's a pretty small window between the introduction of keys to a single member of the pool, and it being shared to all the keyservers. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Fwd: Re: regular update of all keys from a keyserver
I forgot to send it to the list as well... Forwarded Message Subject: Re: regular update of all keys from a keyserver Date: Mon, 17 Oct 2016 16:20:00 + From: Stephan Beck <st...@mailbox.org> Reply-To: st...@mailbox.org To: Martin T <m4rtn...@gmail.com> Hi Martin, Martin T: > Hi, > > I am aware that one can update all the keys in local-keyring from a > keyserver using "gpg --refresh-keys". Are there any disadvantages to > simply put this command into user crontab and execute for example once > a day? Yes. To protect you and your contacts from an eavesdropper (may it be the ISP or someone else), you may refresh your keyring over the Tor Network, using Parcimonie (1), which opens another circuit for every single refreshing action (one refreshing action, one refreshed key), thus slowly refreshing the whole keyring. Actually, it works with gpg v1, I've never got it working with gpg2, though. If someone out there knows how to adapt it for use with gpg2, go ahead and tell us! Well, you don't tell us anything about your system or your gpg version, but another way (with gpg 2.1.10 or later) is using the in-built support for refreshing your keyring via Tor using --use-tor option. Quote from the 2.1.10 announce mail (2): * dirmngr: New option --use-tor. For full support this requires libassuan version 2.4.2 and a patched version of libadns (e.g. adns-1.4-g10-7 as used by the standard Windows installer). If you do not use or do not want to use Tor, I'd recommend using at least https in any case, retrieving the certificate of sks-keyservers.netCA.pem first (3), verifying it and copying it into your gnupg home directory, and adding it to the keyserver section in gpg.conf. I'd never refresh my keyring over plain http, because, yes, we "should all have something to hide" (4), whatever the threats may be that are already knocking on our doors and whoever might tell us that this battle is lost or useless. (1) https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/ (2) https://lists.gnupg.org/pipermail/gnupg-announce/2015q4/000381.html (3) https://sks-keyservers.net/sks-keyservers.netCA.pe (4) https://moxie.org/blog/we-should-all-have-something-to-hide/ Cheers Stephan 0x4218732B.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: regular update of all keys from a keyserver
On Mon 2016-10-17 06:31:16 -0400, Martin T wrote: > I am aware that one can update all the keys in local-keyring from a > keyserver using "gpg --refresh-keys". Are there any disadvantages to > simply put this command into user crontab and execute for example once > a day? The only disadvantages are if you don't want to reveal the contents of your keyring to the public keyservers, or to announce your presence on the network. If you prefer to do these things in an anonymized way, you might prefer a tool like parcimonie, or if you're a coder (or have ways to encourage other coders to work on things you think are interesting), you might want to to look into ways to try to address https://bugs.gnupg.org/gnupg/issue1827 --dkg signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: regular update of all keys from a keyserver
> I am aware that one can update all the keys in local-keyring from a keyserver > using "gpg --refresh-keys". Are there any disadvantages to simply put this > command into user crontab and execute for example once a day? Not that I know of. Some people will tell you that "an attacker listening in on your network connection could discover your social graph!", but honestly, if people are eavesdropping on my network connection they already have so many ways to discover my social graph that one more just doesn't matter. This 'problem' has always struck me as much ado about nothing much. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
regular update of all keys from a keyserver
Hi, I am aware that one can update all the keys in local-keyring from a keyserver using "gpg --refresh-keys". Are there any disadvantages to simply put this command into user crontab and execute for example once a day? thanks, Martin ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users