Re: [Sks-devel] Tor hidden service - what's the rationale?
On Sat, 2015-11-14 at 01:15 +0100, Hendrik Grewe wrote: > I would imagine not leaving the tor network through an exit is the > benefit. And what should be the benefit of that? If tor works right, there is none, if it doesn't there wouldn't be any either, when you "not leave it" when you hit the hidden service. > Why does facebook run a Hidden Service [0]? Wild guess: Marketing & hype Why do google/Yahoo/MS/whatsapp, etc. propagate their "cool" crypto stuff, which is actually useless in the end? People feel good. > There where some thoughts one could create a profile by just looking > at > the metadata (from keyserver operator or eavesdropper on the line) > while > key-refresh request from a given peer. Thats why tools like > parcimonie > [1a/b] where developed. Those use a new circuit for every single > key-refresh. I think there's a lot difference between that, which works on the client side, and what we'd need on the server side. We share all keys, and every single update... this hughe pile of data flow possibly makes it way easier for an attacker... than the few 100 or perhaps 1000 keys a normal user may have. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Tor hidden service - what's the rationale?
On Sat, 2015-11-14 at 02:36 +0100, Alain Wolf wrote: > >And what should be the benefit of that? > What is the benefit of leaving Tor? Well you can't argue like that, can you? At least it alone wouldn't be argument enough for me to set up such service. Running additional code, here tor, always means additional risk for the server operator. More code, more possible vulnerabilities. And more important... it easily gives people a wrong sense of security... "oh... that keyserver is a hidden tor service, so the bad guys can't catch them and temper with" > > If tor works right, there is none, if it doesn't there wouldn't be > > any > > either, when you "not leave it" when you hit the hidden service. > The benefit is, that no exit node and no one else on the Internet > (outside tor) can profile your communications habits and partners. And, to my knowledge (though I must admit that I'm not a Tor theorist), this is no difference to just the client running tor. As I server operator, I still see some IP,... just that it's not an exit node, but the last hop. Or is there any statement from the Tor guys or any paper which shows that tor get's more secure for the client, when there is no exiting? The only thing I know would be the encryption, but that's not really helpful for our usage scenario - the encryption that tor would have, and that we wouldn't have between the exit node and the non-hidden server, doesn't really give us anything, as there is already no trust relationship between server and client. > Its your address book which you send over there. I assume most > clients > do that unencrypted (partly because of the manual steps needed to > install Kris root cert for hkps). Still, the hidden server doesn't prevent this... at least not more as normal Tor would do it until there's another exit node chosen. The only thing, AFAIU, that helps here is that the client rotates his requests between many servers. > We made good progress in encrypting mail-client-to-server connections > in > the last years. We are still working, but slowly progressing on > server-to-server mail encryption. But people continue to happily send > their complete address-books over the net unencrypted trough HKP. Valid point, but I don't see how Tor alone would solve this, and especially not how hidden services improve that. > And as you seem not to like HKPS either ... > > hkps is IMHO only little help there, especially as it has the big > > problem of the strict hierarchical trust... > But now that you have been given the possibility of an encrypted > connection for your client, without hierarchy, but with the added > benefit of the clients IP anonymity, and yet you still complain. > What is it that you want? The strict hierarchy of X509, which we have with hkps is only the tip of the iceberg, as Kristian would be ultimately the one who's in control (@Kristian, don't take that personally :) ... sure you're a good guy, but in principle we must assume that each of us could be evil). What you apparently miss, is that the HKPS gives you no trust relation to the server, at least nothing more than TOFU like. You know (more or less certain) that you connected to the same server again,... great,... so what? It doesn't even give you a small hint of identity of the operator (Kristian doesn't verify this) and more importantly, even if it would, there was no prof that the operator gives you proper data. Anyone can set up a keyserver, ask Kristian for a cert or do the tor hidden server, even Agent Smith. > > > Why does facebook run a Hidden Service [0]? > > Wild guess: Marketing & hype > All services I provide, public or private, or just personal, are also > reachable as Tor hidden services. > The time and cost I need to set up a hidden service is a fraction of > what I need for any conventional service, by adding a real IP, > firewall > rules, DNS entries, TLS keys and certificates etc. etc. . > > As long as this is easier to setup, why make clients leave the the > Tor > network, if we both are already inside it? Uhm that seems a bit strange... how could it be easier? You still have to do all the real IP stuff, at least for Tor itself. Anyway, as long as there's no true security benefit behind, I remain sceptic that this rather lures people into a false sense of security. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
On Tue, 2014-04-29 at 12:52 +0200, Kiss Gabor (Bitman) wrote: a.keyserver.pki.scientia.net Aug 4 15:32:48 2013 GMT Well I've wrote Kristian an email with an new CSR some week or so ago,... but no reply yet... or have I overseen something? Cheers, Chris smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] why does SKS have /dev/random open for writing?
On Thu, 2013-09-19 at 13:41 -0400, Daniel Kahn Gillmor wrote: but writing on debian? # lsof /dev/random COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME haveged 3510 root4u CHR1,8 0t0 1045 /dev/random sks 4488 debian-sks3r CHR1,8 0t0 1045 /dev/random sks 4489 debian-sks3r CHR1,8 0t0 1045 /dev/random # cat /etc/debian_version jessie/sid Cheers, Chris. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] SKS should not accept or replay non-exportable certifications
On Fri, 2013-09-13 at 20:33 -0400, Robert J. Hansen wrote: In what bizarro universe is SKS an implementation of RFC4880? Well it uses/processes OpenPGP message formats (i.e. by storing/publishing them). ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] SKS should not accept or replay non-exportable certifications
On Fri, 2013-09-13 at 18:09 -0400, Daniel Kahn Gillmor wrote: Did anyone on this list expect the keyserver network to propagate non-exportable certifications? Nah,... not really, IMHO it should be considered a bug, and ideally such existing signatures should be removed if possible. And I guess the intention of the RFC is rather clear (with or without MUSTs)... implementations should not export such signatures... and SKS counts IMO as an implementation. Cheers, Chris. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] [PATCH] add fingerprint line to machine readable output
On Tue, 2013-09-10 at 22:40 -0500, John Clizbe wrote: 2) As Christoph has already pointed out, this breaks the draft we try to follow as our standard. One should add though, that it's only a pseudo-standard... perhaps one should pick up that work again and make a proper RFC out of it... one that is easily extendible. Cheers, Chris. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] javascript web of trust visualization: CORS and keyserver spam
On Sun, 2013-09-08 at 13:05 -0700, Geoffrey Irving wrote: http://naml.us/trust Should that be a live demo? It doesn't work here with FF 23. Here's candidate patch implementing CORS. Do you see any chances to implement all that without requiring remote code/content (and thus CORS)? I guess many people will not really like that and some security frameworks (things like NoScript) may block it anyway. Cheers, Chris. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] [PATCH] add fingerprint line to machine readable output
On Tue, 2013-09-10 at 23:29 +0200, Stefan Tomanek wrote: With this change, an additional line is appended to each search result when using the machine readable output. This line is prefixed with fpr: and contains the fingerprint of the key returned, making it possible to distinguish keys from each other before downloading them - even if a key id collision has occured. May it cause any problems as this breaks the pseudo-standard: http://tools.ietf.org/html/draft-shaw-openpgp-hkp-00#section-5.2 ? Cheers, Chris. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] [PATCH] add fingerprint line to machine readable output
On Wed, 2013-09-11 at 02:13 +0200, Stefan Tomanek wrote: Just to be on the safe side, what about making the fpr line depend on the fingerprint parameter? I think that sounds generally reasonable... not only for being on the save side... and I guess you're right and now client should fail. Cheers, Chris. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Legalese for mismatched expectations
On Fri, 2013-08-30 at 20:46 -0400, Jeffrey Johnson wrote: Too many words, keep it KISS in plain speak. Agreed... First, it's not our job to educate people with respect to cryptography/security in general... we should only focus on the keyserver related issues, and as such we should IMHO rather try, to educate users that the whole keyserver network can never really protect from MiM downgrading and/or blocking attacks. But even that should be rather educated by the OpenPGP implementations. A simple note as in the BSD license, that the service is provided as is, might make sense, though. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Contact keyserver.ubuntu.com
On Fri, 2013-08-16 at 13:41 +0200, Christian Felsing wrote: does anybody know how to contact admin of keyserver.ubuntu.com? I usually use r...@ubuntu.com... - also wait for them to act on my peering entry right now ;) Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Peering status of limited peers
On Wed, 2013-08-14 at 04:08 -0400, Phil Pennock wrote: * stinkfoot.org I'm one of it's two peers... Not sure why reco doesn't work here... the server still uses my old DNS name (i.e. without the a.) in front of it, but for IPv4 this should work as long as I haven't added further addresses to the now round-robin keyserver.pki.scientia.net. Anyway,... the person I suppose to be the operator haven't answered my mail yet. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Peering status of limited peers
On Wed, 2013-08-14 at 03:23 +0200, Petru Ghita wrote: Are there some error messages that should be monitored on the log files? Well apart from denied reconciliations (both as server client)... it's probably interesting do monitor 417/5xx HTTP errors... (not sure though whether SKS itself logs these at all). Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Peering status of limited peers
On Mon, 2013-08-12 at 20:00 -0400, Phil Pennock wrote: Perhaps of use for people wanting to explore the connectivity. Quite nice... Can we have this on a regularly updated basis on e.g. sks-keyservers.net? Perhaps also with 7 and 10 connections (or some reasonable numbers). Not sure if it makes sense to also look at the whole thing with just IPv4 and v6 connectivity... probably not that much as neither of both is scheduled to vanish immediately ;) I'd generally like the idea if people could subscribe to an alerting system (e.g. also at sks-keyservers.net) which notifies them about issues with their servers, like: - falling out for several days or weeks of the pool - not being accessible anymore - having failing cross-peerings - limited connectivity to other peers Guess that could easily help in avoiding keyservers that break. I had the same with my old one recently, that it stopped with reconciliation and had DB issues... or I recently noted the same on bazon.ru. Sure, people have their logs,... but to be honest... who looks at them daily?! ;) Cheers, Chris. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Raising Sys.Break -- PTree may be corrupted: Failure(add_to_node: attempt to reinsert element into prefix tree)
Hi. As mentioned previously I'm in the process of migrating/re-installing my SKS instance at much better machine... I run SKS 1.1.3 from Debian sid (which has BDB 5.1, IIRC). Just for trying, I dumped the keydb from my old server, and made a full build on the new one (which worked fine, i.e. no errors[0] during that were shown). Anyway, when I now start sks, then the db process seems to run fine: 2013-07-31 05:16:11 Opening KeyDB database 2013-07-31 05:16:11 Calculating DB stats 2013-07-31 05:16:15 Done calculating DB stats 2013-07-31 05:16:15 Database opened 2013-07-31 05:16:15 Applied filters: yminsky.dedup, yminsky.merge 2013-07-31 05:16:15 Sending LogResp size 62 2013-07-31 06:16:15 Checkpointing database 2013-07-31 06:16:15 Checkpointing complete 2013-07-31 07:16:15 Checkpointing database 2013-07-31 07:16:15 Checkpointing complete But the recon process just dies a few seconds after it started: 2013-07-31 05:16:11 sks_recon, SKS version 1.1.3 2013-07-31 05:16:11 Copyright Yaron Minsky 2002-2003 2013-07-31 05:16:11 Licensed under GPL. See COPYING file for details 2013-07-31 05:16:11 Opening PTree database 2013-07-31 05:16:11 Setting up PTree data structure 2013-07-31 05:16:11 PTree setup complete 2013-07-31 05:16:15 Raising Sys.Break -- PTree may be corrupted: Failure(add_to_node: attempt to reinsert element into prefix tree) 2013-07-31 05:16:15 DB closed (again, this is a fresh install). sks cleandb didn't help. I looked around in the archive and past reports mentioned problems on VMs,... well the OLD sks instance (i.e. the one I made the keydump on) was a VM,.. but the new node is actually a physical node. My sksconf is rather boring: hostname: a.keyserver.pki.scientia.net hkp_address: localhost membership_reload_interval: 1 recon_address: someIP disable_mailsync: from_addr: scientia.net OpenPGP Keyservers - Mail Gateway mail-gate...@keyserver.pki.scientia.net initial_stat: The membership file was still empty, as I just wanted to run it for a test. Cheers, Chris. [0] Though I've originally had the problems mentioned here: https://bitbucket.org/skskeyserver/sks-keyserver/issue/8 smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] is mailsync still required?
Hi. I just wondered whether mailsync is still required, or in other words whether any non-SKS networks are left. At a first short search I couldn't find any PKS server... pgp.mit.edu used to be one for very long time, but I suggested them years ago to switch to SKS, and IIRC they did. Are there any other PKS servers left? What about ONAK? the.earth.li seems to be one? Are there any others? Do the ONAK servers sync amongst themselves? Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] is mailsync still required?
Hi. I just wondered whether mailsync is still required, or in other words whether any non-SKS networks are left. At a first short search I couldn't find any PKS server... pgp.mit.edu used to be one for very long time, but I suggested them years ago to switch to SKS, and IIRC they did. Are there any other PKS servers left? What about ONAK? the.earth.li seems to be one? Are there any others? Do the ONAK servers sync amongst themselves? Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] is mailsync still required?
Sorry for the double post (as for this post), used the wrong address initially, and the moderator seemed to have let it through in the end. Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Raising Sys.Break -- PTree may be corrupted: Failure(add_to_node: attempt to reinsert element into prefix tree)
On Wed, 2013-07-31 at 13:25 -0400, Phil Pennock wrote: The core problem is not specific to VMs, just immensely more likely on them, or Windows, than most modern Unix. The issue is that the current timestamp was used as a uniqueness key. I see... so what's the suggested action then when one finally has 1.1.4? Recreated the DB to get rid of any possible corruptions? Anything to do with internal corruption of the PTree like this, I suggest trying 1.1.4 with my uniqueness fixes and see if that solves the issue. Well the problem for me is that it's not yet in Debian and I'm not very keen on keeping keeping it up to date manually. Does anyone else here know what's the status there? Christoph Martin seems to be a bit inactive :( Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] ECC keys and SKS 1.1.3
Hi. I'll need to move my keyserver (keyserver.pki.scientia.net) to a new host/IP (and perhaps I'll even change the domainname with that) in a few days and wondered the following: Since (IIRC) the 1.1.4 changelog mentioned that it added support for the ECC keys... what does that mean for 1.1.3 servers? Can't they get/store ECC keys right now? Will they pull all the missing keys once being upgraded from the other servers? Even when a key had both RSA and ECC primray/subkeys mixed? Cheers, Chris. btw: Does anyone know about the status from the sks Debian package (the official one)? Is it going to be upgraded anytime soon? smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Social media and keyserver operators?
On Mon, 2012-06-11 at 21:49 -0400, Phil Pennock wrote: I'm thinking of creating a keyserver operator circle list, both set to be public. Is this really a good idea? I mean I'd like to see a sks-operators mailing list... and this list should focus on development only... but Twitter/G+/FB are not really open-sourceish... And one shouldn't distribute discussions on too many different places... mailing lists are IMHO the most widely accepted way for that and personally I dislike projects that offer mailing lists + forum + IRC + etc. ... as you more or less have to follow all of them Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Whats last version of SKS Server?
On Mon, 2012-05-14 at 13:45 -0400, Jeffrey Johnson wrote: of a Debian developer AFAIK, neither Sebastian nor Jens are Debian Developers. (see http://db.debian.org/) Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Debian binary replacement
On Fri, 2012-05-11 at 00:34 +0200, Arnold wrote: The readme says: This ... version ... is intended to humiliate and expose the following persons So, this version is not intended for me, despite the subject and the fact I use Debian and the Debian distributed SKS. I'll just wait for the next version with other intentions. Totally agree... not that such words is extremely childish and dumb, it's also legally questionable. Unusable and not meeting the quality standards of Debian. Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Debian binary replacement
One follow up perhaps... Sebastian and Jens (not sure which of you is actually responsible for what). It really doubt that you make much friends or reach you assumed aim (getting new SKS versions proper into Debian) when negatively pointing at all different places (just spotted some comments on fhs-discuss) in the Debian maintainer. As far as I can see in [0], he never said that he won't to any new packages,... he just said he hasn't plans yet. There are many different ways in Debian to help, and I'd say that would have been the first step, asking Christoph whether he needs help, or whether you can co-maintain, or whether he'd sponsor uploads, etc. pp. If there shall really be deeper unsolvable problems (which so far - by what is readable in public communications - I haven't seen) with a maintainer, there are mechanisms in Debian to solve this,... first by discussion on debian-devel, then via tech-ctte. You shouldn't forget that all this is done by volunteers and if you offend them things won't get better, likely. Chris. [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663757#22 smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] SKS debian package
Jeffrey, it's a bit strange, to read you claiming Debian would have lack of skill / etc. while you try to convince us of static linking, or at least that's what I think you do. Whether BDB has a big CVE record or not doesn't matter at all, as security holes (or other critical) bugs can just always be found and then one has a problem with static linking,... even if you don't technically link static, but just include a shared lib in sks package,... you're end up with all the same problems. Apart from that, I don't see any advantage of that way, you'd have told us so far? You'd still have the problem that sks, in some way, would need to be adapted (eventually) to current BDB releases... Given that projects may not be able to do this immediately, I considered it to be quite handy if distros like deb ship more than just one major BDB release (although, ideally it would be just the most recent one). Nevertheless, it's open source and you're free to do (more or less) whatever you want. I can just tell you that no distro will take such packages (if they know) when you can't tell them very strong reasons. And I can just suggest sks developers not to follow that way. Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Hosting debian packages
On Sun, 2012-04-29 at 16:03 -0500, John Clizbe wrote: I wouldn't call the project's Google Code downloads page Unofficial :-) Surely, but the advantage of distros having their repostories... you get something that is tailored toward the distro and its other packages,... someone (maintainer) has taken care of all difficulties and traps, you get security support, etc. pp. In some way it may make attacks more difficult in contras to everybody. Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] SKS debian package
On Fri, 2012-04-20 at 19:44 -0500, John Clizbe wrote: See my message from last night with the 11:38PM CDT timestamp. Upgrading for DB is pretty painless. Well if this is not possible, just add a NEWS entry, fully describing what have to be done. Generally it would be a good idea, to extensively document stuff in the changelog ;) I think we could host the .deb(s) on the Google Code download page Would you need a .deb. for each Debian release? I think that it would be very important, to get it into official Debian. On previous occasions I've had contact with the maintainer there and he seemed to be quite friendly. Perhaps he could sponsor uploads, or give over maintenance. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] SKS debian package
On Sat, 2012-04-21 at 14:56 -0400, Jeffrey Johnson wrote: And the recommended -- by SleepyCat -- solution is to internalize Berkeley DB to avoid breakage between different applications compiled against different libraries. With internalise you mean that the package should ship it's own copy of BDB? Then I'd generally suggest against... this is basically static linking and for all well known reasons, should be only used in very very very rare circumstances. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] sks recon DB corrupted
Thanks for the hint. Adding a DB_CONFIG file and increasing the mutex to 2^16 helped so far (though I had to do it for BOTH (!) databases, DB and Ptree, and the used mutexes for Ptree is still increasing at currently about 1. Is this normal? Can't we just increase the defaults in the source code? Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] sks recon DB corrupted
Hi. Since some days my recon DB seems DB be corrupted. recon.log gives the following message. ... 2011-05-25 13:51:30 address for alpha.keyserver.ws:11370 changed from [] to [ADDR_INET [64.70.19.33]:11370] 2011-05-25 13:51:41 reconciliation handler error in callback.: Bdb.DBError(unable to allocate memory for mutex; resize mutex region) Afterwards the process stays in uninterruptable state forever (until I kill it). Using the Debian package from sid (1.1.1+dpkgv3-6.1). Any ideas, or do I have to recreate everything from scratch? Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] misc errors and their meanings?
Hi. I get several errors which I don't understand: in db.log: 1) many like these: 2010-10-25 01:50:53 Error fetching key from hash 9BC79BCAF20C03977BAD4986AE5A2EA8: Not_found 2010-10-25 04:51:48 Error fetching key from hash 1602C783D3BBC01EA6882BCC8C087F40: Not_found 2010-10-25 04:51:48 Error fetching key from hash DB7FCC05B8B531038352BD920811C07C: Not_found 2010-10-25 05:27:28 Error fetching key from hash 63F992DC43065DC8CD6577152F939CA7: Not_found 2010-10-25 05:27:28 Error fetching key from hash 6D18637BE544356DDD17464C93938FD3: Not_found 2010-10-25 06:20:45 Error fetching key from hash 722F0BE97A662518253A377E35FC99FE: Not_found What are they? 2) And also many search errors like: 2010-10-26 01:04:52 Error handling request (GET,/pks/lookup?op=getexact=offsearch=0x62523331,[ 2010-10-24 14:56:10 Error handling request (GET,/pks/lookup?op=getoptions=mrsearch=0xDFBFAF3B,[ 2010-10-24 15:08:04 Error handling request (GET,/pks/lookup?op=vindexhash=onfingerprint=onsearch=0x71ED3E4172121590,[ 2010-10-24 17:08:29 Error handling request (GET,/pks/lookup?op=getfingerprint=onsearch=0xEA7330026C73B11B,[ 2010-10-24 17:27:27 Error handling request (GET,/pks/lookup?op=getoptions=mrsearch=0x0379F145,[ 2010-10-24 17:55:18 Error handling request (GET,/pks/lookup?op=getfingerprint=onsearch=0x8CD43247841C83E2,[ 2010-10-24 21:14:35 Error handling request (GET,/pks/lookup?op=indexoptions=mrsearch=sales%40top%2Dfine%2Dchem%2Ecom,[ 2010-10-24 21:31:14 Error handling request (GET,/pks/lookup?op=indexoptions=mrsearch=https%3A%2F%2Fwww%2Eaktivix%2Eorgexact=on,[ 2010-10-24 21:32:06 Error handling request (GET,/pks/lookup?op=getoptions=mrsearch=0x7EA1D419,[ 2010-10-24 22:57:21 Error handling request (GET,/pks/lookup?op=indexoptions=mrsearch=Key%20Id%20'0xD553271D',[ 2010-10-24 23:00:08 Error handling request (GET,/pks/lookup?op=indexoptions=mrsearch=baidez...@gmail.com,[ 2010-10-24 23:00:19 Error handling request (GET,/pks/lookup?op=indexoptions=mrsearch=baidez...@gmail.com,[ 2010-10-24 23:08:06 Error handling request (GET,/pks/lookup?op=getoptions=mrsearch=0x54B3B3DB,[ 2010-10-24 23:08:30 Error handling request (GET,/pks/lookup?op=getoptions=mrsearch=0x54B3B3DB,[ 2010-10-24 23:12:17 Error handling request (GET,/pks/lookup?op=indexoptions=mrsearch=alex%40henleycomputers%2Eco%2Euk,[ 2010-10-24 23:17:04 Error handling request (GET,/pks/lookup?op=getoptions=mrsearch=0x8B02F9CE,[ 2010-10-24 23:17:08 Error handling request (GET,/pks/lookup?op=getoptions=mrsearch=0xEDF00B5D,[ 2010-10-24 23:17:11 Error handling request (GET,/pks/lookup?op=getoptions=mrsearch=0x25B82406,[ seem to be all client requests,... but why errors? I mean even if no keys with that IDs, etc. exist... it shouldn't give an error in recon.log: 1) loads of the following: recon as client error in callback.: End_of_file recon as client error in callback.: Sys_error(Connection reset by peer) recon as client error in callback.: Unix error: Connection refused - connect() recon as client error in callback.: Unix error: Connection timed out - connect() recon as client error in callback.: Unix error: No route to host - connect() reconciliation handler error in callback.: End_of_file Any ideas? Cheers, Chris. ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Dump
On Wed, 2010-10-13 at 22:25 -0500, John Clizbe wrote: Yes, Chris. It would, especially after losing Peter's site. It would also be great if we could expand the number of sites offering keydumps so Marco's site doesn't have to bear all of the traffic. Maybe the following would be the best: Change all the documentation of SKS (e.g. also README.Debian or things like that in distribution's packages) to tell people that they should get the initial keydump from ftp/http://one.common.domain/ Which is actually just a round robing DNS like the sks pool. Ah, the perennial keyserver SPAM canard. Yeah it's really ridiculous to see this over and over again, just about the same as when people demand to have their keys removed, which really just shows how they don't understand critical parts of the whole web of trust... Actually, it's a problem that does exist. For a long time, the SKS community had two sites offering keydumps. One had to shutdown last month, putting all the traffic onto a single site. I guess the main fact that was keeping people from offering this so far, is that it could really require a lot of traffic,... but if a pooling system would be there, it would probably easy to convince many people in taking part. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Re: Dump
On Wed, 2010-10-13 at 21:36 -0400, R P Herrold wrote: just becaiuse something CAN be done does not mean it should be done, and here particularly with a fine cache of email addresses intact for spammers to target (rather than having to pull them one-off) I guess you underestimate today's spammers a bit,.. everyone knows about keyservers, and everyone can simply crawl through them. And there are publicly known dumps available, apart from that. Maintaining a list of those would just help the respective admins to keep their traffic a bit smaller. I think you are running around solving a problem that does not exist, and impariing the privacy of a whole community's members Really,... anyone who beliefs in privacy or anti-spam-measures by not publishing his email and/or his key has either to completely stay alone (in terms of being non reachable) or accept the fact that addresses will get known by spammers and that the only real measure against spam are spam filters, and not childish don't tell ya my address or make stupid things like email(at).-domain.com (yes, also spammers know how to use regular expressions). Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Re: Dump
On Thu, 2010-10-14 at 12:42 -0400, R P Herrold wrote: Review the bidding. I rather believe you initiated the uncivil tone, and I have been mild in reply: Hansen: herrold: and [impairing] the privacy of a whole community's members This is nonsense. This was not even offensive, but just the truth. If you make such big claims, you'll have to life with it, if others (knowing it better) tell you so. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Dump
Hi. I guess it would make sense to put a list of all sites providing regular keydumps on the googlecode webiste. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] keyserver.pki.scientia.net downtime [ENDED]
Hi. The downtime of keyserver.pki.scientia.net has ended. It's available under the same IPv4 address as before. IPv6 is likely to follow end of the year. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] keyserver.pki.scientia.net downtime
Hi. In case any of its peers wonders: The node hosting the SKS at “keyserver.pki.scientia.net.” is damaged and will experience a longer downtime. I'll recreated it on new hardware from scratch and put a note here, once it's back. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] new keyserver online
Hey... Oh my goodness... Now listen: On Sat, 2010-08-21 at 18:54 -0700, C.J. Adams-Collier KF7BMP wrote: No. And I advise all others to avoid peering with you until you can prove that you own the private key that will be associated with the keyserver. I was already willing to put some effort into giving you strong indication, that my key belongs to the owner of my keyserver as you wanted. If I'm not missing something substantially (and I don't think so) there is really nothing which you'd gain from this anyway. If I send you some encrypted challenge or vice versa, you have neither a proof that I'm actually Christoph Anton Mitterer but only that the owner of that key has access to that email address (which an attacker can have easily too, via MiM-attacks). It neither proves you that the owner of that key is really the owner of that keyserver, also because of easily possible MiM-attacks. Obviously you're missing some fundamental parts of how cryptosystems (and especially the keyserver infrastructure works). The later is not secured anyway as you can understand from this thread: http://www.imc.org/ietf-openpgp/mail-archive/msg30930.html http://apps.leg.wa.gov/rcw/default.aspx?cite=19.34.210 You might have noticed (e.g. using whois on my IP addresses) that I'm not living in the state of Washington and not even in the US. I show's quite some arrogance that you seem to have the impression, that this law or whatever it is, might have some effect in Europe or Germany. Apart from the fact, that it seems to be about licensed certificate authorities. No keyserver is a CA... So next time before making any unpolite public statements, please think twice,.. (or better three times). Cheers, Chris. btw: Of course you're still free to decide with which keyserver you want to peer, which I did now. ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] new keyserver online
On Sun, 2010-08-22 at 12:56 -0700, C.J. Adams-Collier KF7BMP wrote: The necessary root-CAs are available from the International Grid Trust Federation (www.igtf.net) Thank you. I will review their CPS and make a decision regarding trust at a later time. I am more hesitant to add CAs to my trust root than I am to trust the ones shipped with NSS. It is unlikely that I will trust this CA until it is included in the NSS pool. http://www.mozilla.org/projects/security/certs/pending/ And how did you get mozilla's CA pool? In a secure way? I really doubt that... ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] new keyserver online
On Sun, 2010-08-22 at 10:49 -0400, Robert J. Hansen wrote: Yes. I was using keyserver as synonymous for keyserver operator. Imprecise language, I grant, but that's English for you. Neverteheless? Why should a keyserver or keyserver operator be a CA or act in such a role? A CA is an entity making a cryptographic assertion on certificates (or keys + UID in the case of OpenPGP). This is also the definition as used with RFC 2828 (more or less). The keyserver is just a distribution point, nothing more, and therefore not a CA. Other wise, my ISP would be a CA to,.. he's the one that delivers me the certificates... Cheers, Chris. ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] new keyserver online
On Sun, 2010-08-22 at 14:48 -0700, C.J. Adams-Collier KF7BMP wrote: It was published on a CD, signed by Philipp Kern pk...@debian.org, a Debian Developer whose identity was verified in person by another DD: And you believe that Philipp has met officials for all the CAs included in the Mozilla bundle and verified them? Mozilla itself just takes them from WebTrust, IIRC,... and we've already seen recently how securely Mozilla handles this (when they've had a CA included, from which they didn't even know to whom it belongs). Nevertheless I still don't understand what you actually want. If it's just the verification of my name on the key,... then challenge response doesn't help at all,... then you could rather take one of the signatures on my key (e.g. from some DDs, or rather well known CAs like DFN, CAcert or heise's crypto campaign). Or via the IGTF hierarchy... I could even sign the key with a StartSSL X.509 cert, which is in your Mozilla... But I thought it's about getting a key that belongs to the owner of the keyserver (mine). Then all the above wouldn't help you at all. The best thing I could do is, putting they credentials directly on the server (on a website or so), thereby making the official connection. Or provide them via https and a server certificate e.g. from CAcert. But again,.. they only check the ownership of a server via whois and email,... which is in turn not very secure. Cheers, Chris. ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Looking for peers
Hi. On Wed, 2009-09-23 at 17:24 +0400, Rakhmatulin Sergey wrote: My server key.sodrk.ru:11370, e-mail pkp-...@sodrk.ru. I'd add you if you still searching for peers. You can add mine too: keyserver.pki.scientia.net 11370 btw: The domainname you specified (key.sodrk.ru), differs from what sks is thinking it's running under (see http://key.sodrk.ru:11371/pks/lookup?op=stats) Best wishes, Chris. ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] pool.sks-keyservers.net down?
On Thu, 2009-08-13 at 10:39 +0200, Sebastian Wiesinger wrote: I entered pool.sks-keyservers.net as keyserver address in GnuPG but it doesn't return any A/ records at the moment. For me it works ;) # dig pool.sks-keyservers.net any ; DiG 9.6.1-P1 pool.sks-keyservers.net any ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 43102 ;; flags: qr rd ra; QUERY: 1, ANSWER: 19, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;pool.sks-keyservers.net. IN ANY ;; ANSWER SECTION: pool.sks-keyservers.net. 21600 IN 2001:41d0:1:e812:1c:c0ff:fe65:2cd4 pool.sks-keyservers.net. 21600 IN 2a01:198:328:488::189 pool.sks-keyservers.net. 21600 IN 2a02:898:31:0:48:4558:73:6b73 pool.sks-keyservers.net. 21600 IN 2001:470:1f0a:d4::2 pool.sks-keyservers.net. 21600 IN 2001:610:1108:5011:230:48ff:fe12:2794 pool.sks-keyservers.net. 21600 IN 2001:638:204:10::2:1 pool.sks-keyservers.net. 21600 IN 2001:738:0:1:209:6bff:fe8c:845a pool.sks-keyservers.net. 21600 IN 2001:1418:1d7:1::1 pool.sks-keyservers.net. 21600 IN 2001:16d8:ee30::4 pool.sks-keyservers.net. 21600 IN A 79.47.84.242 pool.sks-keyservers.net. 21600 IN A 84.16.235.61 pool.sks-keyservers.net. 21600 IN A 84.253.50.136 pool.sks-keyservers.net. 21600 IN A 87.98.166.252 pool.sks-keyservers.net. 21600 IN A 98.218.83.144 pool.sks-keyservers.net. 21600 IN A 161.53.2.216 pool.sks-keyservers.net. 21600 IN A 194.171.167.98 pool.sks-keyservers.net. 21600 IN A 195.22.207.161 pool.sks-keyservers.net. 21600 IN A 195.111.98.30 pool.sks-keyservers.net. 21600 IN A 202.191.99.51 ;; AUTHORITY SECTION: sks-keyservers.net. 21600 IN NS ns1.kfwebs.net. sks-keyservers.net. 21600 IN NS ns2.kfwebs.net. ;; Query time: 90 msec ;; SERVER: 84.16.235.61#53(84.16.235.61) ;; WHEN: Thu Aug 13 19:41:04 2009 ;; MSG SIZE rcvd: 496 Regards, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Re: [PATCH] Proper case handling for words index
Hi. Are we going to see a new sks release in the near future? With all the recent patches (IP6, DNS, this one, etc.)? Perhaps including a end-user targeted guide how to recover from bugs like this one (dump-restore-etc-procedure)? Best wishes, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] looking for gossip peers
Sorry for writing German. I didn't want to CC this to the list ;) Regards, Chris smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] details to configure SKS https web interface
On Mon, 2009-03-09 at 09:52 -0400, David Shaw wrote: We may end up with hkps on port 11372 just for lack of support for doing anything else. One should not use port numbers from the registered port numbers area,... if it's not actually registered or even used by something else. Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] looking for initial key dump and gossip partners
Hi. Thanks for all your information. In took a little bit longer (I exchanged the hardware of my server, and used the non-fast-DB-build ;) )... but now it's up and working, at least in its initial configuration (without fancy website etc.). Anyway I'd still like to have many more gossip partners. Currently I've added the following to my list: www.mainframe.cx 11370 keyserver.gingerbear.net 11370 ice.mudshark.org 11370 It seems as if reconciliation with them works fine. btw: I get errors like the following: 2009-02-06 09:50:10 recon as client callback timed out. ... 2009-02-06 09:53:17 recon as client error in callback.: End_of_file ... 2009-02-06 10:18:11 recon as client error in callback.: Sys_error(Connection reset by peer) ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] looking for initial key dump and gossip partners
Hi. Thanks for all your information. In took a little bit longer (I exchanged the hardware of my server, and used the non-fast-DB-build ;) )... but now it's up and working, at least in its initial configuration (without fancy website etc.). Anyway I'd still like to have many more gossip partners. Currently I've added the following to my list: www.mainframe.cx 11370 keyserver.gingerbear.net 11370 ice.mudshark.org 11370 It seems as if reconciliation with them works fine. btw: I get errors like the following: 2009-02-06 09:50:10 recon as client callback timed out. ... 2009-02-06 09:53:17 recon as client error in callback.: End_of_file ... 2009-02-06 10:18:11 recon as client error in callback.: Sys_error(Connection reset by peer) ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] looking for initial key dump and gossip partners
Hi. Thanks for all your information. In took a little bit longer (I exchanged the hardware of my server, and used the non-fast-DB-build ;) )... but now it's up and working, at least in its initial configuration (without fancy website etc.). Anyway I'd still like to have many more gossip partners. Currently I've added the following to my list: www.mainframe.cx 11370 keyserver.gingerbear.net 11370 ice.mudshark.org 11370 It seems as if reconciliation with them works fine. btw: I get errors like the following: 2009-02-06 02:10:14 Malformed entry ... 2009-02-06 09:50:10 recon as client callback timed out. ... 2009-02-06 09:53:17 recon as client error in callback.: End_of_file ... 2009-02-06 10:18:11 recon as client error in callback.: Sys_error(Connection reset by peer) What do the mean? The following is probably that the other peer had me not added to his list, right?! 2009-02-06 02:31:45 Reconciliation attempt from ADDR_INET foo:bar while gossip disabled. Ignoring. Regards, Chris. btw: sorry if this mail should have been sent multiple times to the list... ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Ports used by sks
On Mon, 2009-02-02 at 19:21 -0500, David Shaw wrote: No. You should have a document specifying what the port actually is and the protocol that is used on the port before you claim it. There is a spec for 11371. You need a spec for 11370. I was aware of that process :-) Also, isn't the port changeable on a per-peer basis in SKS? If so, there is no point in registering the port at all, as setting up a new peer is a manual operation. Well but this is also the case with the 11371 port, and basically with most other protocols, too, isn't it? A SKS instance doesn't need to know a well-known port to become a peer. Well it was just an idea, when I saw that probably most keyservers sticked with the default (11370) and this was still unassigned. I didn't intend to step on someones feet :) btw: I was not about to register a port number in the well-known range ;) Best wishes, -- Christoph Anton Mitterer Ludwig-Maximilians-Universität München christoph.anton.mitte...@physik.uni-muenchen.de m...@christoph.anton.mitterer.name smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel