Re: [Sks-devel] About deleting keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/29/2013 11:48 PM, Arnold wrote: > On 10/29/2013 11:25 PM, Kristian Fiskerstrand wrote: >> On 10/29/2013 11:05 PM, Arnold wrote: ... > The scalability I was talking about was about the existence of > multiple servers in multiple countries (to have available for > balancing the load for one thing). If we don't take care of this > thread, the SKS network might very well be reduced to a few servers > in a single country very soon... I am not looking forward to rely > on SKS key servers in some country where they log and analyse which > keys I retrieve. You would still be able to run a private keyserver on your local network only accessible for yourself and you peers, and not as a public service, still taking care of the logging issue (this is a sane approach already). - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Bene diagnoscitur, bene curatur Something that is well diagnosed can be cured well -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.0-beta255 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJScDyFAAoJEAt/i2Dj7frjh+8P/0gkEXNtiGuIqlCoaKTo1CZf 7aQunVGtV2JWpnCPYzefX886hxFctZgEcNLIjEPr79IYhdWcWfo3QSqj++p2kfZN EmWmp14Y6ydPrg8HlRHHh2FOGv719zLIvgyBUCNSHxbn/M02JHowq6DaTAaSkaPO kwXcg3f0b7gyweIQWpgMsJN8hZK5ubVth9MJkljxyIdd4Kl0Hp4/WIv89Ydathp+ jGh45dVCLYHRps7zlTG/8RSNL98H6xZ8xzxCFhShIaJ04GuoRmQxYiSzy2c+3B2J yM/wsh2z48jY/0sWwA6guXyoTm3FUzJlgAHdR2CTbbllrXh1CQSRe0Ip50I17qjN p0yXi330pZkvVewditqxKRCo3Exp2JfpTHrJJvJ4NcbSkNCmIlXxtuUTK5RH4+tS 7uPnSRWcIUvcTao5fTeI3mCv7YvGn/r7qCs02KQS3Eb2U8PH0+FNgQ+KAdm7FUp0 hlQfXVULzlgdmhLx+Wkgp4umXqVF39O1SJOYhsQg/Haovf0mSfghVJlgkK31lmJB w4RXZjlixQLhx7avwHM/MVi1aQpYLPEwec45E+5zppMaE5TIM/6i26swisRYBAzc 9VB51oB8pgJDZUYQR5ZYbbACXyaj6pzcYjlcrsMYFt6RrsICqfQmRO0+c/6XSxvP +9cLcncpmwl/5U4M7kBm =O4+t -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] reverse proxies and the pool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/30/2013 07:31 PM, Gabor Kiss wrote: >> Whatever the decision, could you provide documentation for >> configuration of such a reverse proxy for both Apache and Nginx? > > What I miss is a set of diagnostic procedures/recipes that could > help an operator to figure out if his server fits various > requirements. > > Like this was on Monday: > > | Virtualhost-related, no match found Note the wiki[0] clearly stating, for apache config: "## do *not* set NameVirtualHost on this host:port combination! ## For :11371, we use IP/port virtual-hosting, not names, accepting ## any pool name." References: [0] https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Testis unus, testis nullus A single witness is no witness -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.0-beta255 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJScVGyAAoJEAt/i2Dj7frjgGwQAIGvFLOCnq6kT05b6SSWdwu5 Ze62Jyr99v0b0XE2RQJ0Pu6M/EMsVbP2B//rh+IwJQkosBU7K8FUkJgAFtJXHMtl Ej40vz8fwqbyviT9TctKZs4UEb5PwZ14YzKVVKT0UOiHhd5A8EQTVkdqBSxfRBwA FFHF3Jkd9RbLYgaZiqehkjFY3ycyPtBTDlQJJ5m+/pCGoy7CLnpSVbDziPL+zVB2 Np5aN5JdMzzfe09yv6UTwx0ZuqYTMjX1zY5UZfHGzUIvGW3hs8QqG77KecmBDoAL eHOWH7qobtdGAcxUXtqFs7ljJUrPa8wYHcZbH9kK1BS/pgJTsvPMN5eBflJPCjMi BiXQjOVRRPInTAN+dAysGoDfp7gKdxwihvi+mprRG6mtwnykZEdpB+boTEI3CYXC 7Lp5n8okX6mhqlF2a4l1yhN4/uTeaCHZP1iqUM0XL3yTJLlOvcZTAruvUP5eTToT c+lsosAfUISL0iAUN1lIz7Pz41zaSrq4AeRH1pvjI/ufvQzhfX79G0MdkXInGT7R KYbdk3Dwq8Rk5Whhg90UiZsfO27oYoYFahVzN2zLoEb2Zf4asXQMsMg0ge+C2/v/ qNAvs450FT4t6AkD+n+vuA9uuN4X9ZprNjCPies148w58wxvFtK2COEnsFn0jJG5 q1X1i2zARWnMJywas4H1 =4S8m -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] reverse proxies and the pool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/30/2013 07:22 PM, Andy Ruddock wrote: > Kristian Fiskerstrand wrote: >> Hi, > >> .. >> [a] please follow the Peer recommendations and allow every Host: >> connection on 11371 to go through to SKS, otherwise it will >> break e.g. keys.gnupg.net. > > Whatever the decision, could you provide documentation for > configuration of such a reverse proxy for both Apache and Nginx? > > You'll find this in the wiki[0], and for load balanced nginx I've also written a post on [1]. References: [0] https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering [1] http://blog.sumptuouscapital.com/2013/10/load-balancing-sks/ - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Testis unus, testis nullus A single witness is no witness -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.0-beta255 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJScVFSAAoJEAt/i2Dj7frjGVYP/3wBjkK+H03mWaYmRFCBz1jH 1lz+7bW5FQMfdUtP3XAQ2Bi7zW7aoos+8v6hDAPJCPf47cBVZGK+hVJD2zRLxwZZ y0870sAW+73eMGeVkSuehZhbnk+Rsh1P+0MtM1PwnauqeFNQ20AXTsH481F6pXdp NkYu4CiABp9w1YQgIroQ/wZTO/Q/oq0dOihaBSeaby3X+ks572BmkDX1ZqLjqZel d9NijlGbeUPYcPsYUoOZCuVoJwTEfIwDwWHq+AVLLNcDCar8Rs0MgQ0zFqAxfF7j 6q/0brlI2DwrZfPaSrcDgQ+ideVqiISFsEvo42nX8yuPbSnJ2DR6oTI1VMmaFArS xAvJktjcc9YUMS33B9YZpPHLVry7pQPYbeTxK3yCjJjASPNeMEbqCcpNz+wJAZYq 8rkQpyPVzb+v+ROVkttRb4zYuKtAYl+m+0Jl8/N+COAyc/9T7FTiGROH8ETsYZ7R fOLP5eDfUbSv0yM0CBmd/2SXukseHNol/Na+u2BYWJ09Uf0EIYx/nmS9go3+JQcY rfM7+94sVR9Q5NiyWinpCK/YVZYOXhFzP6UOVrz35FE59P/bANCF6kRsilHiYjQN 5FdZCmZPxtLeOt60LJjcZj8k58PnJwNtFSTVVzUZPZLZmGmh3K0uxmW4cF2JfAPH VKmYBBD8S4rb6l70uidk =fjPw -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] pain of joining hkps -- reverse proxy config in apache issue with "hkps.pool.sks-keyservers.net"
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 11/08/2013 09:33 PM, Nat Howard wrote: ... > > P.S. I noticed that some of you in the "hkps green zone" on the > status page *also* don't have this working (I won't name names!). > In fact, almost all of the ones I tried didn't have this working > (Yes, I changed the https name as appropriate in the curl command). > However congratulations to keys.sflc.info -- In curl the SNI isn't directly interprented from the Host name by default, I'm using a patch available at [0] for this to happen. The proper curl protocol to override the hostname is to use curl_resolve for this, making it somewhat more difficult to debug. But in this case I'm testing for hostname of hkps.pool.sks-keyservers.net directly, which is why it works for PGP clients. [0] https://bitbucket.org/kristianf/portage-user-patches/src/d40e0f3634ed0f4c2fc4237d364f387f6ddf3f9d/patches/net-misc/curl/01_http_host_sni.patch?at=default - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Nunc aut numquam Now or never -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJSfWBnAAoJEAt/i2Dj7frjO1cP/ApIlAcoQpRL4WvkisN0JeG/ RzDSwKnGpZpsoWaVc50kXKp6UzTfg8opJeN1gypHe2w5otDz66YEJsRS4Bx9EUDw SBCgNfEW3OHz/bEhtp1A1ytyFzznhy/plJUGorEkW+bdAdLrDmzWtDMlSp1gZKil C2NJuX4wtErUIodheH68b1x4rHwBS0ehVKGHGnj37sJRkYJwSH3/qFlIg1aA5Wsc OEnJ+SDJPJaoMyzIMq0XJKgZ6yRdu2DuUhM5g8BCMEelbXaiYQq13NM6BBTuGhqV GboJNXlbRFIclHYFUYsv8le3Io8u4npd7AGo0x6/iPgNSOP0b3F0W2nwEEM2ofBU uP7HX91CW6JnbDgBf4FG83A8r9+Yh+XNTzZgDMCavBAzff/wn3a5L2KJM5PD/piz wRPYn3x3gvQYAbj38wmJyKgqwxZ+xrqN/Gr/EmMJXLkP3Q9Xzluzz0unipifvyTU V8VJgoVxnthbKSLAC0vfNPzA6DZf5s0NCoTcfEGVluQd1VHreG/zlsoyEZ4jdapP 5XObi+X0IdO0Mi7E0pLLc5z+IQ4OXwxhKfYMmpJeiZ5XHAXr8MgvLqevO12JGffH OjmVBQjemHBlD76WX8IyFqHlWCsUpJs+MwHV+X4/ZAmfSRqan0bvQ3kf4vNrnzhq SazPmtertaoh2xo8Ni6S =KPcQ -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] reverse proxies and the pool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 10/28/2013 11:33 PM, Kristian Fiskerstrand wrote: > > > Current snapshot shows that 45 of 76 servers in the active pool > are identified as being behind a reverse proxy, being roughly 60%. > This includes nearly all of the servers that are included in the > geographical pools based on a more calculated approach[0]. In > comparison we only had some 30-odd servers directly qualifying when > I first started looking into setting the minimum requirement of the > pool to 1.1.3[1], at the time of the actual switch another 10-15 > operators had upgraded, and I believe the pool results are better > for it today. > Just a heads up that we now have 51 servers behind reverse proxies, so I've decided to implement the change to require a reverse proxy for the main pool some time this weekend. If anyone without such a configuration wants to set it up, information is found in the wiki[0]. References: [0] https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Corruptissima re publica plurimæ leges The greater the degeneration of the republic, the more of its laws -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJShlQvAAoJEAt/i2Dj7frj4hMQAJF9/2x2geSFye2EdL+FdA5u jfEUaxx3MGrTmC3EalkvQhULljoDzqmNL7hPFfPHt0A9XVgD+bPGs+Ku/DIKZfdi 60NTNyocDk0VnWW4EJLSZVmFcP8UXBIb1h9Pr5p2sJN67f+u6j+SUFUb74YvXKUc jUARvmRAQ76koT1qDsr1dKGaBIGL7SJb5iaEMtY1/13LEtcLgAMZVcRGbffbkNLt 1IbNo62mnvZcaTiq+H8th7zxV6DHWmrtll7PRAhJfV0yZ8a2p3aVPZJAr+iTa8B8 GYoD7DUaRj0SYRKokCFLFLVcC/oEjMjs7TiYST3XCjmf3hiXOLQ++Er0LKDweN8w +C5CksZnhtkkPIng3BlU9NxNBMyYlJDf1BVq5+bw1pt20PZex/uktKSHBM7FUqgf uAtcjKbd0U80VTdSpms0JpVvnUQaMH8Xq3//ii1706gLmocn52CowT9gQMjs8Mah +r4GIc8ZAj4mVgwznB9O5wP5n5AfP5QMVolUse6iSRcvA0rwG/gArxlcNO+ux70+ wZE6DgVnNDVh06kJHKMw1VPZ33ouFUVC49KVqpdv8ZLEK8D2I8QP524oGcQIq5OK fTJYwkm80tCJbmkyisKI+Md12TKCtQqo251jfL2eyFB3GrBYlK/GZPrQSEJMHP58 svRaSlbl8LCWP8dBGeN5 =lp01 -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] reverse proxies and the pool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 11/15/2013 10:24 PM, Todd Lyons wrote: > On Mon, Oct 28, 2013 at 3:33 PM, Kristian Fiskerstrand > >> PS! For those that have noticed a blue indicator on that status >> page[2], this is a preliminary setup for a potential new HA pool >> in the future for load-balanced servers in front of multiple SKS >> instances. I do however expect the HA pool to continue in the >> same > > Just curious, how do you detect this? I just noticed the blue for > the first time today. I don't, at the moment it is manually specified. However, in the long term, multiple requests and checking for nodename difference for a singular host would be an option. This would probably be a matter for a maintenance script running far less frequently than the hourly updates of the pool though. > >> manner as today for a while longer before that change happens. >> If anyone is interested in my own load-balanced setup using nginx >> I've written up a blog post on [3]. > > I've always wondered if I could just run multiple instances of sks > db on the localhost with different ports and load balance amongst > them. I never tried it though because I'm afraid of corrupting the > database. The sks db instances don't need rw access, just ro. That > would allow for simple load balancing configurations, good for > throughput, but not for HA. For now I'm only including nodes on different servers (although that can of course be VMs) - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Testis unus, testis nullus A single witness is no witness -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJShpIoAAoJEAt/i2Dj7frjfMMP+wTe2E17tHgggZrprvzGeEdK cmLS/lH68ES/iUuNt5Qb4bT0t1XCvMx3Mp2KMwO+FBW/+A+D075JfxuyQu4in6V4 aOSiNBRv2cC65cu48UQYGaeUe8ld94yAQrIVzwplT7/f+2hOSCM1x7fkKSlY47XM dmR06touv+kmcNuftdvIMz1EKWimFjLLzbzr7TbyBkHGxhQ4mROSBQfwKp19PMqk lfVy0/afvOmBGXoAJDj+TnJQ+F3YZaGzskvsvZ0tfyHeoJYwr+8Rdr2hzScFyUdU FerSUzaZy+DLSa00BnEd8BDvVAvRfPnhNEvW/KmO3l9n+2IMDLiD4w3g2nye5B99 hTnOyPGmrLscK7fieUhcQ4KowKLB6kWezu4t/MXrOIUMGYygaqFW+HAcOttkKcCD fKYyzHIVaVrrTSaWmoLTYdR/w4OUxAmjpuVG3exQcOQWmFYEXSyUk+VQiMPqUsvc JL1d3zYvWbQTRlctuN4yZL0Yuxpvu/OlbFGVRHsH+FV75qnQcKsZ9mQkHs5AV092 /VT8rkURgWoMNkni8OJ+CUifnDO2UeFVzGOsK9D5pZfEI/b3V7TCcicCjOc7ERAC V/d1QtCWTQbQYSg7jZpTeSCwIZBBzHkqaLNXtMQ3vZBVco8Cr6tn+xMy0+Ke/6Rp WwN+kBiyJL2Xq9+5H1bC =ZMZu -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] DNSSEC for pool.sks-keyservers.net
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, As my upstream domain provider has finally added support for DNSSEC, I've just activated a configuration that SHOULD enable DNSSEC for sks-keyservers.net. I've tested it using my local DNS resolver and get the expected "ad" flag in the result. Please let me know if anyone is encountering any issues with the pool as a result of this change. - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Carpe noctem Seize the night -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJSiTIIAAoJEAt/i2Dj7frjPpQP/20J2pPL4qtyEq+DZMtZqebH KH1GSaah9kV0shPZGJnDcwpyPHKtnPBF7oiK3ayOorBPpz27bLRu6+6bj/Vz55Ng 2CPw7EdGhLy+rnJvH5AKXbN/CcP80RyvxcCiUenvE9ZiW2QPsvfouxJmBCywOaQ3 2yD2J3RpbdLm7DSxxaX3e61UijpAQ6neI6ktewaGQNcPMjSwl1z2Zt3nhSRnrwmF diKyALO2Kwq8z6al069zSIpzMGnbzbizZYZHYrnaxnRN5NrjiXIxzi5mgm3EMD5l T64I8FYTeXkUxfpe2f2DYBfMudgubVeOuFPRSlZhKDPIvhMwgZmP3XU8Gw/Fn8RB JyoauLrwwCLDbq+yQBVbq0QcwRQHzZNmMBXdF0/ssEMUymbSqEUIpBk1JcC+5VK+ sU1H88JxNYFp6HFeqb/TfIPxtEBugK2/Oe3K+Efu8W8Obd0fc/DZU/XA0Q+0vGkA Sm+O/JwZEZL6PyiwnFwiF5uPEPSniu932IPrL2Inf30mbe/w7binskFog3oevoug xdRio0IdjsMmX643tjL5+mCrH3q+nsToeDNQ/aIJRuYzF+prqEqACJ1CQSo/XuhD ZIrKgUn3ActCrMBGdEsTYiUZuEiHWorUU9HjQ67qewdvc8ddfBb0Zq1kboLTJH+4 UpI8tz2DwMO/ynJJox34 =hQeh -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Not in pool on status page
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 11/19/2013 03:10 PM, Todd Lyons wrote: > On Tue, Nov 19, 2013 at 10:43:30AM +0100, Webmaster wrote: > >> I'm wondering why my keyserver (keyserver.linuxpro.nl) is not in >> a pool on http://sks-keyservers.net/status/ but is listed under >> "not in pool". The server should be reachable on ipv4 >> 81.23.226.83 and ipv6 thru a sixxs tunnel. any clues? > > You need to configure your webserver to answer for all possible > host headers that are going to ask for keys. Review the > recommended configuration settings for your nginx reverse proxy at > https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering > In addition, make sure that the keyserver is available from the external environment on the default HKP port of 11371. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Acta est fabula So ends the story -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJSi4MoAAoJEAt/i2Dj7frjlwkQAKjBB3EK8TgaukX11VWV9lA3 nz9yOhUvDgPPFUQ7I85JMsHvesiEc5/aWaE+503FTWWZc88EThNNviX7sF0MDRzf ZY0iTpRseGV9kYTzE7gua1QWA1yaLmt5ZynoiisFDz5IasHqi5P9sphi7Y5U3FAd VsJh7XK+3l47iy/ON4IYjkHPgPcwtJMZbY5oTsOMNwEonNL+8fFQA5D+7PXh2Tbs YlQcYsaQ+W5cVeD650nUSzWE+SH+WiC0RSPM4mAtwVw2++pEic+Lw5PWQb5AsI7b cqQOYghwnapjRc/Z3WedptTmrxstRb2AvB3shKS9CZVgvs0M568IasQUtVT/WW9/ UWJMu1fL/V2W3jq6Ye82qfTELdnC2ilS+vz5fY7J52Zzj7pqbjmtL5mQEnuWFuK+ oOm4S2ZTzE9n5OOZFF2yKdLoRqo2Y6cHGu3wwxmp8YvhoEjRGm0M4jZVYy08Zpex vLA+ZjtKg+7dAV4ZKTrQEwz+d2CdHw0Ty6PbgY5BSV5cJJVgy7HxA0kBEXpJu9tI Qx0YI5zwOUaYauP8q7eQbsc0CvyGfiSAORjaFBtUjcOnBSIrJRP6MoQo9MS2/AdO iAVyx0swpncf1vZbE3VfGHpsINIGqC1KlFTemb897Q9aubrEIzhP2zokoAhVzju6 D37XEKQJxqK9nHaUzQCY =pq5m -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Not in pool on status page
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 11/19/2013 04:26 PM, Kristian Fiskerstrand wrote: > On 11/19/2013 03:10 PM, Todd Lyons wrote: >> On Tue, Nov 19, 2013 at 10:43:30AM +0100, Webmaster wrote: > >>> I'm wondering why my keyserver (keyserver.linuxpro.nl) is not >>> in a pool on http://sks-keyservers.net/status/ but is listed >>> under "not in pool". The server should be reachable on ipv4 >>> 81.23.226.83 and ipv6 thru a sixxs tunnel. any clues? > >> You need to configure your webserver to answer for all possible >> host headers that are going to ask for keys. Review the >> recommended configuration settings for your nginx reverse proxy >> at https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering > > > In addition, make sure that the keyserver is available from the > external environment on the default HKP port of 11371. > > Also I notice that I'm having issues resolving the domain name keyserver.linuxpro.nl from my server. Make sure the keyservers are properly set up (or is there any DNSSEC configuration that might stop the request?) alpha kristianf # dig keyserver.linuxpro.nl @127.0.0.1 ; <<>> DiG 9.9.3-P2 <<>> keyserver.linuxpro.nl @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26821 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;keyserver.linuxpro.nl. IN A ;; Query time: 4996 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Nov 19 16:35:11 CET 2013 ;; MSG SIZE rcvd: 50 ... linuxpro.nl.7200IN NS ns5.linuxpro.nl. linuxpro.nl.7200IN NS ns1.linuxpro.nl. linuxpro.nl.7200IN NS ns3.linuxpro.nl. sk4e8fj94u78smusb40o1n0oltbblu2r.nl. 900 IN NSEC3 1 1 5 F10E9F7EA83FC8F3 SK4F38CQ0ATIEI8MH3RGD0P5I4II6QAN NS SOA TXT RRSIG DNSKEY NSEC3PARAM sk4e8fj94u78smusb40o1n0oltbblu2r.nl. 900 IN RRSIG NSEC3 8 2 900 20131129072435 20131114211003 54171 nl. Kc9aZQUqYxA95vFTQOkTXdHBpHGM6NOmJP64iIxDYBmSkNJXBYhpmZbr b0dZucd/tPkCn2lTdg0UMv3iENvuUpt8Kf2yQujaoMfCLaH09uvY2xmB ObsB1RBf0cwfbUUSI821uQjgrrIrjBHyeUBeP0DZ0vTTmWrn+vQk0ETb p6E= pifi941j96fqbh2pmjjd4n87du1t2lt2.nl. 900 IN NSEC3 1 1 5 F10E9F7EA83FC8F3 PIFJDS2QDCUV77U0TTKV7EU2KQQG594P NS DS RRSIG pifi941j96fqbh2pmjjd4n87du1t2lt2.nl. 900 IN RRSIG NSEC3 8 2 900 20131129124217 20131114231503 54171 nl. TJpggrSHT7jTgu2zMLOhkc+MZqOWF1UbOVs5VGjqFCKJjvOzRBG93fDF WSWLZlrKZF5ZjpSJagMGb+uVQieJBa4uMTfh4HcVy6cTRnwW3XAkoRXb woMWAcrLoiPxkoY/GPC0YM2/8FJ5z75OfX99IxeZ4RAu2xmx6JS7T2Wz 2qo= dig: couldn't get address for 'ns5.linuxpro.nl': no more - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Acta est fabula So ends the story -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJSi4g1AAoJEAt/i2Dj7frjeQQQAIo6vmgyIPUx47MHDKzyvMrf BXh1OV4REm9vGas9YO7xpHmVKf9KKAi4PkHGzlpiFi73AajC61w5geAKmcZF5r6C w6u4KOrt2ZomK6ByVStw2qfKw+RW7Az0G8Zj5glHKc355Fciu5o116BKew3R5AoH 08BDEHOHGWLUhcVKPZIRAs3wCK/YSejzBUUuvnwAIpxqL7ZSW+Qk4O7qBCGPNhwq 74fdgD0Uj1Tt63XlJjJDMQAXF2cF0Zh8Ei/L5w8rMWIA+ATYNW5S3W32qTExew2n Hd2ro+5lqbud8hj86fsYU8GHUb3rdkucXTY1TOn3S7vZp2mLaNb6vBbFKh/rpT4L ILIjIOBacwoHZB//8gUsv39MqOFrEwGolTvvg5KHcG/AFWwQPu+RHAxOHKtyxsg/ R6d2mKO7/IxuODIT+bvuEtvrdTO+CJ+1LMDz5q1v9AjH0sLkFdzS0ja9t0Q+ENM+ WvS18bv+BkmVWetUXQkdRBtBvyZ71zixkzsxVnV6oiLsC91sFlx07Kxb+L+jOiA3 XzipdKA1/lPaP6OYrMZmwKCC55dxtyhemsR1QtHnHFOm4MwwBBblW/P+51xPA/KD ibA9L2DhWlKuciLzfsZCw+fM8ZANI4v2/TyArAuBu3i3RZfy2Jhf+gY/sI0hUwAN gQwYBeoj/7SK6SH6tylF =skUv -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Not in pool on status page
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 11/19/2013 04:48 PM, Kristian Fiskerstrand wrote: > On 11/19/2013 04:26 PM, Kristian Fiskerstrand wrote: >> On 11/19/2013 03:10 PM, Todd Lyons wrote: >>> On Tue, Nov 19, 2013 at 10:43:30AM +0100, Webmaster wrote: > >>>> I'm wondering why my keyserver (keyserver.linuxpro.nl) is >>>> not in a pool on http://sks-keyservers.net/status/ but is >>>> listed under "not in pool". The server should be reachable >>>> on ipv4 81.23.226.83 and ipv6 thru a sixxs tunnel. any >>>> clues? > >>> You need to configure your webserver to answer for all possible >>> host headers that are going to ask for keys. Review the >>> recommended configuration settings for your nginx reverse >>> proxy at >>> https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering > > >> In addition, make sure that the keyserver is available from the >> external environment on the default HKP port of 11371. > > > > Also I notice that I'm having issues resolving the domain name > keyserver.linuxpro.nl from my server. Make sure the keyservers are > properly set up (or is there any DNSSEC configuration that might > stop the request?) Following up on this, please verify your lookaside settings. I notice that if I disable dnssec-lookaside auto; I get a valid response. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Acta est fabula So ends the story -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJSi5SbAAoJEAt/i2Dj7frjehIQAIa+5wo83X7xFEW05Yib9b/k gNDA2O89XhyP0GTm34TYyDjjDwjWAGOstTyEz/iO/CmfoDzLH5Y6MU9eYEUVKber C1XPmbcE0njUR8CPdCXmtXhGnrVDYuBBP2z9V05qphn2nWWiyOkjCVa0LwBOn1Dl 9WFrWZQb7XHOCG35v/NTAYthH1PuS+Ehx6KVT1LFUc6T++BVd6xrbhxEdyfeABNI tMHpQwPaJ4C4S24VtYh2gnh+QJUIenO+y+9MI3dGvxi1tbGOgL4cUcpZx5QKNBwQ jKgwzfPfxdNxlFEkNUUyzoIzAUMWajMR3YOb9xqPccdhTzmxl+qZoAgWkv12968O Juc+G2E4iPYzke60xUCt3nhct9Nya7ZtlB1roTWHbu+6m7bqfFiorZ2/7L5whj92 eMF04NkJrFaJ+fDGbcwRKZqZ47SyUmnOlKORGrzQ5AEcn5d8PUg6V/Sfi/QiQBxA IUahrHMYNXpV5fi5TaWjxwa3KNEEg41Axtue670JkINJzsrGvqHTTW1XXrYp+3+/ KVWiQhzT3KEUt0c7CDkN/l4OA98PJ4wz8veOrvJJnDlvYgSjYuT6IFHns4C7xAD+ gD8Xxb4tT97Vnrx2qYTTHQiK8YufMTH34tELrlvHhWLNDaOAMhTCDgu+/kAeBnbH XWMNLigeQNo3Vay70Las =j+ld -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Not in pool on status page
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 11/19/2013 05:41 PM, Kristian Fiskerstrand wrote: .. > > >> Also I notice that I'm having issues resolving the domain name >> keyserver.linuxpro.nl from my server. Make sure the keyservers >> are properly set up (or is there any DNSSEC configuration that >> might stop the request?) > > Following up on this, please verify your lookaside settings. I > notice that if I disable dnssec-lookaside auto; I get a valid > response. > > A few recommended links to help debugging; [0, 1]. In particular note keyserver.linuxpro.nl/A:This RRset is not covered by any RRSIG. keyserver.linuxpro.nl/:This RRset is not covered by any RRSIG. Despite getting indications that it should be used from the ISC DLV[2] (see $(dig linuxpro.nl.dlv.isc.org any) ) References: [0] http://dnsviz.net/d/keyserver.linuxpro.nl/dnssec/ [1] http://dnssec-debugger.verisignlabs.com/keyserver.linuxpro.nl [2] https://dlv.isc.org/ - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Nunc aut numquam Now or never -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJSkhRsAAoJEAt/i2Dj7frj7b8QAInpw3vFDyRE2crzw+hqe1mU Vv2iuU1ldG0piqncHQg+iMVqyKwpZ28jupveqsQRvYwzLLyucDLtkmh+66fYtJ21 o/j+z+j/IniFTWOIIaEi0bUwH+HjyMO+pewRAPuZ4W140kcZiTiY7+3oT9CKCFgf KeLWpCnsxAJDjwjwO+fLOmAEOMZpJ6rXr6qmmwZxbfLACArq6YWnjtLhHzzKZFu+ YNG3IxKg566mFxzUkswNAHpo97tNwlzsjhaUaO/85P9rSe6Gmo+8xUD/t/d6NX4q ePj1CbzhZsdokHlFVXS8uWAO07HSmOPEXFC5d2F4xKDffNT1gQXW2cfwcQwZU+1l Y4UZCWgS7t0FflgLfIQVx/4YvNl2vIVhveprUgIPC9yun/trROxFpeXtmChtE84U lRgucJgRUdOlA7nKVGFl4BfOIjEqKo9+dM/31tURO5TckdXs2QMDk7kyl7k/ieXJ 9PSQW65wIBYcSucZy3jvzJkLglnwCwM2hJ1TaTyLDroPsKRpnbJbuxNnWXpYQ/6U YuuZ3fBs4qm/xYOHHzvsHNsI79vSI9zuYUI6fZXvzqRYdUqiE7RSj6bsnbRM0/IE 4wpwwVkVqQPzcAQj04hLAFVE7LsfEofM8hBinzVkfQmIEr7kU/Vrt1VL18QHaEed llPIW/2BvpEJtrRJa/AG =35RU -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Seeking peers for sks.muc.drweb-av.de
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 11/29/2013 09:31 AM, Karl Schmitz wrote: > Hi all, > Hi Karl, > I'm seeking peers for a new SKS key server installation. > > I'm running SKS version 1.1.4, on sks.muc.drweb-av.de. The server > is physically located in Germany (DE) and has IPv6 connectivity. Please make sure that the server is also running behind a reverse proxy as per [0] References: [0] https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Aurum est Potestas Gold is power -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJSmMpcAAoJEAt/i2Dj7frjNoQQALEwH6VpbiFEmIYYULl+rG91 /J+k4JVKUwEduOyjTlaUrTAfdyy8Ee9WON9w4tsmK6UXgz8gqo+40HlwQK14rMcr X8oLGxyIqdJF2lHxcJ0xLoZhqHsoYfDRmLF3YaHzmVFuXto6+DR72HgI+RNyXZ2D cVO0sryrRXOF1M7bpcbh6urv4ZrJSNBoRrDUw4jLi/E9NAfrt2uay0ZE+JQCRS4b Y8ACaiaiIWJ1YDK9x9pK9TOqRL9PhJw5CPlVp/448J2lIVhjXZyKmMWnhPjN3NFU 4iyMzTN7uNu5apipzjeA+C0sCkIcNYoeUir2LjvZXKYXhtkSw30cSIO/uNo9uvLE GC42xZ+uwDjoPLdyibKAI7+E+Wsg92mNN1NvIxAqpl8x76XzpUMVgYp90+tcVCt1 YlrDd9mdSywfNvcTZssx0lCMGItKpQEIdY6J8l8epUYptiwRbOmX6Vwh0Pw0oyzL P8oEIaWVPx+sp30P3ziFRl2ICem2TGMdnkKIDbo9v/nF8Za4G5ONSSdAW86VdLex s5KlaTQbAnQnoa5bevBqD1xRXI33PUiDk89qsv6U1uS0Y0+ofmK5r2i6U8JWgtxO Wxkqu3ZI//PVsr9IHTtBnyuWvIvy2oG8z+hWLZdCHtwwpwD8UVWJfdOpDfyNyBHV TR+M+60YoH0HsBXYFUxq =+KkR -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Seeking peers for sks.muc.drweb-av.de
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 11/29/2013 07:32 PM, Karl Schmitz wrote: > Hi Kristian, > > > Will you make my server a peer of yours in return? > Feel free to add keys2.kfwebs.net 11370 # 0xE3EDFAE3 - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - "In politics stupidity is not a handicap." (Napoleon Bonaparte) -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJSmOAOAAoJEAt/i2Dj7frjzxgP/03I6ZnjMugBGt8Jn51+y0Rd uButNqolvUdd30vLC6yxxfsX55UgRwizr6Qc+SLrmN07CizeQeI2glCuWxxrTCu/ QJ1ln1otefkzIQ2MLXip/sUAzRbpeXvb66sX7ueWdVyEy28yMAh5QR2ySZsVdmCd tRGpRkfz6zhVLEy32UGHnoCtCjw3sID/L20mA5g2eLjY8UJ1FTSYio8eBPRn5Le5 w5rak4Hosr1cY/PPuAnkEfhHMUiPY81nzBV/wphkqaq/uwb23Pxv/8Mm44AVOPO/ O1hu5h0mtwzOswARn2pGrY8mZqIVM44ul0iTpD3HwleSBnZ5HYGulG8uz3tOflTU zUVBZmVcXggQ6m96WOIeIGVDJC2Lj8YmBR+gQ7JfVIhVl/WhzVHWHdeYvWsEycAG r3T/yQjIT5IQ6MqCmK6+Bk86vf3uOE3k70upwChC3J0v2s+INLkqBJv2vjyY43HV +AoIE4DWsZ2U/T5n9eeo5v2IBLieqkOp0p3hg61sPW9+eImwLqTUWl+SDcITjWkn P5NY6addbKunFzd4hTQx/X6nnUAy3wlkGjWi4qXwjvjdbUYJ0bRkybNcmRYniXXP XhGJoSuCFVpbSDAGIyx5mi66y/e8KM+S6WOHAo0Eiga6azQWMjNYUo68M2xoRXSm 7dHM0FzAE2ZJI1XRfCVa =C9Za -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Strange reason in status page
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 11/30/2013 02:32 AM, Arnold wrote: > Hi, > > Some maintenance on my server is taking a bit longer than > anticipated. While waiting for some command to finish, I checked > the sks status page for my server. The status is "Not OK", so > that's OK. > > Next to look at was the reason: > > ReasonNot running a reverse proxy > > However, the reverse proxy is the only thing that _is_ actually > running :-D > If/when the proxy passthrough fails, presumably no Via header is set. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Nil desperandum Never give up -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJSmb7lAAoJEAt/i2Dj7frjzJkQAK8IzDQjcaX5l0GoM70D+juN Y/LF9h9LM0zQX1VN3hPUbpou8L0jrT0EHu8gAiz38mafGMXpHT6IXFwRhBU7n2Xv oRGIQ1giSyluwnHCuAio6XDeFwuyvWdl0eGZgnxy6qDqcUg2P/fn5K4JEk9sAls/ Igp1QgcOe/fpheeBmgEun1Njvqf5SL8NJSTAtWhkiLS5mfM+iJSqj7JdztIoh0K8 RBxFbjLPrmHEItR4x/uSQ4TzOlUKUCMj5ipsioqPgifIba8keflRmpeWPUuY5Kcf 7qT1+P+gf9Dqj2ZAmhE94ej72z+yGOFGHuRjinpL5JaXwn7d/Gma9IpuWEHSz7Eu lAev+g8mwQuZ7yFZ8n7eKKxO+48KGN3XOjpmd/QrNlWK1xwPHmFbqpO2llLDlpLB NnycmMjg6agpa0SBckMel9AUA6IhCOMMfeSso/+j/8s6u5wNGwlxwt62Ojl3LQmy r1m3lthX2vcpOj4tLEqti8YTX/yJyqA+RQcJpdx+csMd0hjmLvj8PexAtnsqtIKi qyBmmNIFWzQSmyQirMYr9E/SI51o74JjtXg9mMGP75VI8F8BvIvwr+WjjD8mHTv0 yGjLccFxPVxFervGlG3EeV84KozaSIaAoFqNkaKzBkqYjy3xZkFo44C2sxjkmYC0 lMILlPXsaji1rTd2cw4K =udon -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Strange reason in status page
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 11/30/2013 11:33 AM, Kristian Fiskerstrand wrote: > On 11/30/2013 02:32 AM, Arnold wrote: >> Hi, > >> Some maintenance on my server is taking a bit longer than >> anticipated. While waiting for some command to finish, I checked >> the sks status page for my server. The status is "Not OK", so >> that's OK. > >> Next to look at was the reason: > >> Reason Not running a reverse proxy > >> However, the reverse proxy is the only thing that _is_ actually >> running :-D > > > If/when the proxy passthrough fails, presumably no Via header is > set. > > That said, I agree it can be somewhat confusing, so I've changed the logic for failure reason to display the first detected error rather than the last - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Nil desperandum Never give up -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJSmcLBAAoJEAt/i2Dj7frjYccQAJe/9PSZm1LAM2nl2Yc/plhL sYYXTR7O/tZL9zgCT8RBWUeEnn/Gm8OM31aNrlMqLkw/J1X5cUqO3UBtPNp+jfef kCHfWX7HJ/WKQ7UsqIynnufKffJDGKjF4kO51RcwTtZMifzKwSWvLgWH00QJhW6B hBvnYWWSGVHJJUxEkMIpC+I9icBJYTcW1BsIndOnjwPC+UV0ef1lanmO3uhGtnFo SaIjjMzM2i+16K+h70RnK+qVMc6taW8xWqrg7I9JskO73QVEKNhCWLbBLrHchdgz jPOt81oeAViwEGxfGUSxvgH0tRi3C0+gAmp/TgZGMPAcval54GEoAQjG6Mig5Ft1 MRjH6NRA08SIyB0fdqu3fB+nz5/omZp+UqU2dBC3Cjv77ffQiJS+fLd7epz7DJDT hfrwQPZa3Z+rYwo7yNcx9KtU6g1herA/eqi9NfBS1KeCaQbriOXk/Z/qyBDJ9ptt rWozh1NbJKtGPDVFXkADjV8Iwa04a5oguDJBajz1X9Cjh7OD9WvL1mt4vpAm1lci FVvy7GqgWewebajKPX/OpfKlnyrkGO8nPvvTtr1teIOHpuZt/sYt6pxB0Uc62MKZ Y28WLyR75k6Jz+GdZ8yg9eg7XYaGidstVs/ubePY3I4+OKFrRJj9TkPBgMMD1sQa 1Canf4iJvSUMTGqtq2/Y =6ZdO -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] IPv4 vs. IPv6? -- Reconciliation attempt from unauthorized host, but host is authorized
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 12/03/2013 06:08 PM, Daniel Kahn Gillmor wrote: > On 12/03/2013 11:41 AM, Kim Minh Kaplan wrote: >> But this *is* the approach that SKS uses, except that it does not >> have to set IPV6_V6ONLY. Like I wrote in a previous answer, SKS >> requires the administrator to list all addresses, IPv4 and IPv6. >> As an alternative you can use the hostname. But I do not >> recommend this as you then have to be sure that all your DNS >> system is working fine at SKS startup time. > > ah, i'm finally understanding your suggestion, Kim. thanks for > persisting. > .. > Could we update the wiki to include that suggestion? attached is > a patch for Peering.wiki. Thanks, I've pushed a slightly modified version of the patch explicitly mentioning the IPv4-IPv6 mapping wrt using catchall :: - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Credo quia absurdum I believe it because it is absurd -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJSnhJyAAoJEAt/i2Dj7frjFZYP/3Xo8FztXzrSkd1Sq/C+GleA Z3iQyDoMT1TcADX8Vycvz9T1dETRrMDY/J1VpQKdKQQSxhzUabYwrn3wroIccLz+ WcS8+TH5NG5uINxMlxtRdk/kPBstrwAoRToCJL2LxGJkL3NxM2V2uPddgVxvhsIF 0V6Y+FAq06ZvR2jwnZKvTMCSDNflyJJutU1ezpjb3EFvf+736fKoawV/Qz00zsjT vfJf0jJ4IPyBZ/YI0kPElVRvZfCJ3ZkkCcF/iWOc6W88iFz+/a0U5IRKpt3PNOXl ms0naTLgeBzIvqVj1KujeWlgZMgbFIgs/ytLekTKSYW+4qS5n/DlOFwR3PKXd6UI fEgQiYBwXQTe+RpctGqYOZ2n0ENVmsX9cMrUVMzb1cs40ewVh0tvL0h17GO4HNx5 gr7FzwSn4fg+zZ7iu5Te/PMEHwj024+hpuFgLOGO7aNBYLdw54vaWabcms7vTanU 81FFi2aiqhOuWjxr+08YW3aSfjvdmGlDFzV/UZKsVSIFJznczkDsVrGP0lGSwAzA dnHErHDO+1WLaEg0fxE/lwy9FLtwD4UwI5hVX4+TQ3McmsCI9HPSmiXG9wTWygwg xOu9cTNxLe3T3311iVIPIpzA+K48kZ+4yI/a+hoXNxBAcB21ZM3EzycnaynQuw7B 59wMl0jxu24xbKHlhao4 =kVFR -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Was there a problem overnight
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 12/06/2013 02:19 PM, Filip Stefaniak wrote: > W dniu 2013-12-06 12:30, Jeremy T. Bouse pisze: >> I just checked the pool status page and noticed that it was down >> to only a bakers dozen of hosts in the pool. Was a little >> disconcerting considering it was up over 60 the last time I had >> checked it. I also noticed that one of my hosts isn't reporting >> as being available on HKPS but there had been no change to my >> server config and testing myself it appears fine. > > Only seven left in the pool... >> Thanks for the report and sorry about this. I'm expecting it to be related to the strong storm we've had over Norway lately[0,1] making havock with some routing tables. I've done some temporary steps (some static routes and increased timeout values for the servers), so hopefully it should be back up to normal any time soon. References [0] http://www.telecompaper.com/news/norwegian-pt-on-alert-as-storm-reaches-southern-norway--984089 [1] http://en.apa.az/xeber_strong_storm_batters_norway_203795.html - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Quidquid latine dictum sit, altum videtur. Anything said in Latin sounds profound -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJSodnWAAoJEAt/i2Dj7frjLnwQAKk2CNXpi9y+xh0aUKtYSOJ1 j2jMd6we5/kVwFEGcnDBOzZmzAjbPnr5R2vzfRydAVzKj5amfz9jwrb6NcHUMzuU gThOVrtUyXog4j+OW4mzk/psqOXUMfJkwjakWbW1MsuRk0s+zSGPdcy26Jsti48V O6HHpw1UuawlPW0YSZXGE156z9QuLCQRoE9uSYE7C8e/kqieyV3pV+WXePManj+y KU9gucWsHIBDNRJTtsHeVkz+8PSduz2F2sK6xeXwbjCNFXBrJHV1YWRTnNs2idHv //+V7QsDFmaGslmcJWjY2OutSqzhwkACH2GArGnSdKbn2R2M4z3bFeKemOxh+aYP aL1Chj/kTxoGDNRnBGLS5s7KYckUiCJQhsYNZKTdnvrxViioytT2+BVJGOzAJ4BZ fxAI39H9F4aYn7U71kn9MQofBalQB8/9/UUodP0uFd2SKz15J3WJfT+G+JE/3yby DGi6CypOV+JsBXIA/DwMktrsZU7EkSOVpYsfGYNqaTs0sZ/rNve4pzUBoo9Wo9Am L582Tpy5KmefR/BGVbb+FR677J7MqkTRoUsdSsVodDh7Wj0qEhNlnqe6ILbd/AmW hKscKHeoz8HfS009RWoIFcHpD3vOb0jL3r4U8krOkTjx8apsm1LpnIJKFl50z9Fe UQOzcVW5+1pFl78N8BFV =xYXd -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Encrypt.to searching for beta users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 12/09/2013 01:37 PM, ad...@pgpkey.org wrote: > Hi Stephan, > > Thanks for your feedback. That's right, the user needs to trust > the service. The toolchain is open source http://openpgpjs.org/ and > you can review the JS code. How does the "End" in end-to-end looks > like? Instead of using a mail plugin it's a website which runs JS > code in your browser. Clear a PGP user knows how to encrypt a > message on his PC, but if my non geek friends would like to send me > an encrypted message without knowing PGP, I provide them one link > and that's it. And how do you send an encrypted message without > your PC? :) > > Regards Jan > > Granted this whole discussion probably belongs somewhere else, but since we're first on the topic, let me chime in my two cents. First of all, any encryption done in a browser will at least have to be done in a browser extension that does not auto-update. One thing is whether one trusts a service today, but if tomorrow some completely different JS can be injected (or only injected based on e.g. IP address, or other identifiers for a specific user, which we have seen some cases of) then it can't be trusted. Second, key validation. Your friends (or friends of anyone using the service) would have to carry along a phone-book of fingerprint, key types and sizes for each recipient. Other than the short key ID I don't see anywhere where this weebsite provide information useful for key verification procedures.Not even after encryption; What happens if there is a short keyid collission? and is there a way to verify the structure of the encrypted message before sending? (similar to gnupg's - --list-packets) - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Nil satis nisi optimum Nothing but the best is good enough -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJSpbu0AAoJEAt/i2Dj7frj/C8P/3Ee8u7rUiO6TluwkBSCuksf jXBqMTPjYq+Z1OfBaolYnix9n779ADxk/E2OHdEbVGeoMUwwld2IQURVR3zWt4Mi CVDx9kwNlbm9FoMOR31fKwh5gbiGx4icmt/dbOeuiD6MjQL4MZIkp0QYvB3POzoQ fNGu0JdPcYFJ3V4NZxF+uuzqC4GcNaXcwNLJGPGeRUtVGZSDIo7uyRRTGOOkQtZS ifj52cYRvWUa3EomtaZjzP6j+KspOtj3QLtta8QOFiRt/+Jc8LVdQ/by9ykuWOtQ c3Kdcha5cigNzUIEvIneuYzKbXAnmZ7aFvoESx82QP5j3E+zgt7x+r3R3jYRy+qb /Ks9TDDl9cqVpBQ/Lrb78ubtNINpA6HWnY8b+x391kK5oi1swMHakDabiWT+8LIP rV2a3WDRCEiKUDpYZQZxtsUg4BTdw26TjRZ+ciEK8FiJQJAktltMu6Ou6NRcIKYA Eyyg3jEGglay7gcb6DrAgqSYIbBlmRryM095XeqNtU25XkJeBoavEB2kRQtqxu8G SEmjLc/J1inDBiBWTuor2/Wq/hEAa+YLBOfKOO5gD1n4S61sNYxoYI4382L8cDIO f6wMzx19soFZ9BJXk1vwPJ96YBwaObKCOjcRcDjuQK97ZPu7++kT6q9fqiWsPQug IgJGFzUqwOzN7P6ljzBm =/Yr+ -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] pgp.mit.edu upgraded to SKS 1.1.4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 12/12/2013 01:45 AM, Jonathon Weiss wrote: > > Hello All, Hi Jonathon, > > I know there are people out there who pay more attention to > pgp.mit.edu than to the average keyserver. So I wanted to let > folks know that pgp.mit.edu has been upgraded to SKS 1.1.4. Also > of note is that it now allows queries on either port 80 or 11371 > (and yes Apache is fronting both ports), so users behind > restrictive firewalls can now access the system. Please let us > know if you detect any problems. > Thanks for upgrading, it is indeed a server that experience a higher load than most, so a good test case for a lot of things[a]. In any case, the setup looks good with the exception of no Via header being reported despite being behind apache, and as there is no rewrite of Server: headers, my pool crawler doesn't detect the reverse proxy. If you want this being detected, please set ProxyVia; there is an Apache example config at [0]. Endnotes: [a] Depending on load it might even make sense to load-balance it with multiple instances? References: [0] https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Bene diagnoscitur, bene curatur Something that is well diagnosed can be cured well -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJSqapeAAoJEAt/i2Dj7frjbHAP/2hvHvSDHzMjYxWRIJaHaHO5 PVb5eaDMuxSouZuyhbtfluO7PoW+Zeojvj+yJgx59dD3TLxRIWNrdUef7mWITDAJ M0TJSu91G373DtnJzN7CrRKux3zYRZ42P1LdOC0HK+E+rMoppPq+QwzYUzMokLqp eSOsIrwQiTIe8hB4ZCTh8I6BsWQmrbXEIbeAZP7+V4BH6tR07WW/2sZu61OQOmYz EyI3euhgbNgUXomjWu74B1JBDpWYXWrfm8kDtXP3Lsf7R3i7R7PoY9i6TUkfbMcZ RrXpRWh0eWpNOiFXPHegGpIJqv++EgfpoW3dlrNN/ca+2O9PsjshShyBXlUSGVV+ 5XuzVeSBTdSIOJ6GdQdeGHsCla7IVJQZdajBSDVFZiB1YAvaCrlqsGpuTC0YUO36 aVMAF1qYRIMpqoVIsV7fGUMhMzPYrNXuS3NB+/c6CZm8Tw7awXkkJKe+9KsOOnMN Jt+e+utwgvNO+BLHqS3pgf9+Vlm9h4Omyfar2HM1fsUYa4nZRbXXTpOBuRnvL+cW kBqOPgc0i+CgAP2tORUu2anbGXzLPiqM8kw/p7EJ2K324FpkgzOW5VZt549KniP3 Kf+ZwG6VjUo0fcdMU12y0G3x7IzQa0RYGd6pNbq9qWvhqeHvN2q+xUP+arGR59qi HUC6CNPEoXH1KJYZi3ni =oj1T -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] keys.niif.hu changed
hi Gabor,good luck on the move. i'm running the instances in virtual environments myself, so please let us know if you encounter any issues. there used to be a timer issue that influenced virtual machines more frequently than physical boxes that affected the recon process. this is hopefully fixed in 1.1.4.ps, touching the membership file shouldn't be necessary since 1.1.1 as dns should auto-refresh Sent from my BlackBerry 10 smartphone. From: Kiss Gabor (Bitman)Sent: Thursday, December 12, 2013 4:02 PMTo: sks-devel@nongnu.orgSubject: [Sks-devel] keys.niif.hu changedDear folks,Host keys.niif.hu is moving to a virtual machine.Its address is changed.I ask all my peer partners to touch their membership file.If you see any problem please don't hesitate to drop a mail.ThanksGabor___Sks-devel mailing listSks-devel@nongnu.orghttps://lists.nongnu.org/mailman/listinfo/sks-devel ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] pgp.mit.edu upgraded to SKS 1.1.4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 12/12/2013 11:11 PM, Jonathon Weiss wrote: > Kristian, > > Thanks for the review. I considered the possibility of a > load-balanced pair of key servers prior to this upgrade, but > decided that the resources for that are not (yet) justified. > > I actually intentionally left the ProxyVia setting off until the > new machine had a chance to burn in. I expect I'll add it in a > week or so. That raises a question though. What order of magnitude > of additional queries should I expect upon joining the pool. > I don't have any figures on the usage of the pool (would be really nice to have though), but the nature of the pool should distribute the load between the servers in such a matter that it shouldn't be an issue for a single server. The crawler randomly picks servers viable to be presented in the actual DNS records, so with DNS caching the distribution of traffic is actually higher than the random selection in itself cause. - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Adde parvum parvo magnus acervus erit Add little to little and there will be a big pile -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJSqji6AAoJEAt/i2Dj7frjVGYP/jZ9DSK32L8s+1Mp23045rAj IoxbVFItoGIaAgNZxM9BA5kPwZEmaXNpsn2Mf1DYHkRQ2bleo+XqmPlAewk3U6Ay jXyVgBxWkfOO4EgAHSicH3YzVnsX2i546TF10pkKrlF8KLYHzHsUeWbBgGUk39CP J08cAcRHVvrAeAQV/tWWKXMEz+T6/4SI1+0yAyRojx+pa1I/e4QcqKTs0gxBNBkP s4EoD6qXJ2jWFGP+APdH04eZ83C8vqiKzZrvWIkdCfrTFvwkQar9cYurG8SDtAhC 4ZBIyJZmeCX4zTdLqZWvsfB0voghyI+yIIdmTMvUsUfBJc74ZRwsLU8LUuZ+Kcts cq+YFcNbTJjwX0nNtuMRnpLs/tgm6B4nF6arpsOfmd1ma3D+x9ES2C8iFvOwMg+4 xjT8poDQZDPq9tKUett/gnPMvA04CTL2nydRdOkpoO89kCwsJ5DEWeUD2HmD+nga PFjYvE+4GsDt1AxtBLEvUm+BNWaDrx5Ks0zDEfr9iwV3a2RbkMVRajj7imJ8gZhu TM4dXOwlYTIh4i9gYX+OHvWKbF23eYqe20c/wC+ERQWuTDpVbkMw/LSaVjmqEVsX k+Hna/VKt60iTQ6C7wmgdAHGeO/LuNlsxtIcTF++4e5ZI3hoajEzM/l5vDYaW7k9 +4NMuWkb+ctSyoPhpDYM =+7L1 -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] How much load are keyservers willing to handle?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 12/19/2013 04:47 AM, adrelanos wrote: > Hi, > > I am planing to write a script, which will refresh the apt signing > key before updating using "apt-get update". I am certain, that > mechanism doesn't exist yet. [1] The script might get accepted in > Debian. [2] With my Whonix hat on, it's safe to say, that this > script will be added to Whonix (which is a derivative of Debian). > ... > Other than asking in general, (not everyone can speak for everyone) > it may be better to ask: Would you accept that kind of traffic on > your keyserver (pool)? A regular receive key / refresh seems like fair use to me. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - "The power of accurate observation is commonly called cynicism by those who have not got it." George Bernard Shaw -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJSszFRAAoJEPw7F94F4TagmSEP/1FEN57bvFcsDw3E1Kvr0nxj AE6E1I+CXTyIV4A4vsVFknmGMkbxDsCDtwD6Np5lWlxUGBZmMIc6We0LxQpO/EId 56j4G5c9M5s9iXTwUnKL7FK38u0532qjfjVAvRXmkhD/7DFUzLtRM3olAVK010jR zuXHlxTIK3kLhw0c6DSfeJP8UYgSnFJed/fzHoF9FiAQNhE7H4HbAX4EovC9eqc9 YFJi3tKKrnU7rgOFMlxRyR7exE8ziQetxK72qaVhcU5Hc6bGDhuekAz/NGYd1KSZ BuAYhmlE21fOX3mIjnnEJMkNuNGbzjo8Lto4tVSBi4Nh38clJGno6tU3OZcNzk+Q k1+PluoNNdZOygR8WGzcd6JC3E8i48e3WhPbqvcvoBA7HE/+BKZP6Fuw9hAO4qQg I7ZuiSLUHYeETdN5VwK65XQ74yVPejF3WlF0MwN8PQ94ToiETc5IaYnzib3juvat rj+Z94w633ow5C7YCpoSwYzpMb+vHw5y5y2wjrm5IuJe/IV+E9NWUPe3T8Fr0wOC xVDz0HkW/KeyKD7tSbOrQ7Fwy73Ca6doocsd5ZWMVYXP763Vhs5oDPnN6npGw7Xf h0IK2Egxb4amo0cy7lOrRsb3aAhxu6LVv3hX0LYi2VyS2oxXBGp0ehZuhjdLHMXy AWl1YiULcuFOwbfvBlZV =SAdb -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Status update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 12/26/2013 09:53 PM, Kiss Gabor (Bitman) wrote: > Dear Kristian, > > sks-keyservers.net/status/* pages have a marker: These statistics > were last updated: 2013-12-26 20:35 (UTC) > > I reloaded pages twice a minute and I found this timestamp appeared > at 20:45 UTC or so. Till the 19:35 UTC stats were displayed. Is > this intentional? Is there some artifical delay somewhere? > It is the time the crawler run starts. Depending on the complexity of probes and the number of servers, up to 10 minutes is within the expected timeframe. - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Nulla regula sine exceptione No rule without exception -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJSvMWYAAoJEPw7F94F4TaghIYQAI67uwIKC756blIWw8suCsNo Twab/RvIpbJ9i7mxUX8p+v2VjkKfz+NH0LBDcou512Jwpq9xolvpGuyeZynW00y8 JYagS1k3CtjeB/27+ry4C7py2v1h9I8U8kUlqzvTzHD0YuZLg0EsB/5s2fHlHZzi Rq4LavwZBSNDvXbVNmSSlscrYdVZr92X8ohPiEoCk3rTsHcYyIanBpkCzQQxoe4P gLRp4Pk8LfUpmDekVQTe2qrp9RYoSDCOD3VKyRfyyY6v+QkYZiFcR5ajTjyF3z9J zodTX8w9Cto3KbbJpp5EJAv2DN5tfdrHHhOn9zwSiQXUp2bVpaesaG5RkSaWh0pq xUW8dWRGe/vjCbZNZQ3j+JTXIEOnj45PjFjJNSR/Qf27nxTLFphqueAXrwoRunoB cm9CWCD7m3wxWdsZSPElZYkVdjZVVwX+CA0AUy6X03da3Fb3VyRjfpDpLpJBgG21 KjWK+LI/Whrb4Ie6ouN6g7WVgUh78ojPb667uzLLfYkDNatNZGSdnPAtkCBsJAdX F+UhK9WTqQyJKS/XN1VAlQ4xVvqeGvSu1Eg8CEK9dxyJCMoRS2B8iCZMR+UvytBv BPbOSXsa6MA+0E5ZoxGjHRBt9MTBtp6fRy39EvSkrx592YG0TtOJgsW38nAUrqts rdicl55hq5iTW98BnIt2 =VPit -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] seeking peers for sks.pgp.plitc.eu
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 12/29/2013 08:32 PM, Daniel DP. Plominski wrote: .. >> >> Great ! Maybe you already did, but have you thought of this >> aliases: >> >> ServerAlias pool.sks-keyservers.net eu.pool.sks-keyservers.net >> ServerAlias ipv6.pool.sks-keyservers.net >> ipv4.pool.sks-keyservers.net ServerAlias >> ha.pool.sks-keyservers.net For the sake of completeness; ALL traffic on 11371 should be passed through to SKS. Otherwise CNAMEs such as keys.gnupg.net will fail). On port 80 it should also allow the p80.pool.sks-keyservers.net if you want it included there, and for 443 hkps.pool.sks-keyservers.net should be allowed (but this also require a certificate for the pool, that can be used with SNI for this alias) - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - "Excellence is not a singular act but a habit. You are what you do repeatedly." (Shaquille O'Neal) -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJSwIcgAAoJEPw7F94F4TagzroP/0QA9XUEHpfMNGMkGLACAouX uDHD9aksla7tBDHg1f1GYubMFvKjnxH5SEP8/JvPO4yfdhkbR2XLz1Y9nqpLk+EM B1TI2TburYosrEAJJmsU5R1c4RgAIYx6U3fWzR5htKoV6To5gxsDKP/qtbT42dUa h1bDf9NUp5DWPWOJ7e9q2esc6aAOfqprg0M5EyLrsX3pqLBlKZdOlEA6PemIS2Mq Lp8rl11Qx5QKpX9/4dqhnEEJQQcwFsAfF15mCIg3YHJ21AJlMdBIWZ7NC5h5KuLE j/0G6YnjRi/Ts4zA5XFMny20Xj4z6dMsXi4K5hHF5C46ZwkolAdMHSDNNVCJN0VL IATgXcNvSNOtfDqL6NOU8OvpZhpgVCIFb6WDpxUCYGEH4IBsa8pAwtxX54UmJuRb i3y5wtnske3HK5R6Na6VuchY0x6yOgegJaaMlBfQJEl9HE+avKNd1KYEtUCOUH/a R7yHlopfcH+TsuP84OvhMYIuYaq8yexWkyB7c0GV1Y5V8lNcbgtZ4z0THVLsPSio Gul48O77MIrz8L31kK21WnFd4Dcg9+ZTtKrCpLtRIcHQ60ET1OMnZBHElMzcvFCl gsK+tTYpxpBTTQXnKF77sVsikVBXkE4GyV/HuZEdXQI+bAJjkVTdAmAcauYOkDkM 19JRxbGpLzHJRdun4k2Y =Yons -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] seeking peers for sks.pgp.plitc.eu
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 12/29/2013 11:48 PM, Daniel DP. Plominski wrote: > Hi Kristian > > i have added all required records: > > ServerName pool.sks-keyservers.net > <http://pool.sks-keyservers.net> > ... The main point is that for 11371 all traffic should be passed on; for instance your list doesn't include keys.gnupg.net which is a CNAME to pool.sks-keyservers.net or http-keys.gnupg.net. (CNAME to ha.pool) so if restricted to this a lookup will fail for a large part of users. > for VirtualHosts: # (for HKPS I have no certificate) > Once the server has been in the pool for a while and been tested you can request a certificate by sending me a CSR off-list as described at [HKPS] References: [HKPS] https://sks-keyservers.net/overview-of-pools.php#pool_hkps - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Ubi mel ibi apes Where there's honey, there are bees -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJSwKfYAAoJEPw7F94F4TaghyEP/0Lf21ZxUcv0k5meT/S/lxG9 VhpQBU7qw76LJBE2ToDrt3eRAqXkSCVya+FOSDxB7xvd+eZ95Z5Af4Ui5JMcfKki yjFI7DXzYfpVqPlAVcUU33G2Z/FOFRErDfx8tzOCoSuzktsU65L7TYuXd+3IBkn2 vVs4QsRLikR2JvoMD+3sq+PREIhLdfOA4cg0O53Zbfg6XZy7okcoDImcfOb+ZlTr LvpBcu2hi9KfrNpivc15nOnvxZayR532DteW9XGVBSuITBSq+y5EvmrctkRVFXNI JRH1V/cqDmLpt382oVV3qZXtRX3sUEEiQLgKrCSkyR2RXEXaogwbJueq6zxeiYsA eT2CXj0JwaGOx4cSnyraRcpGYa3xlQf+kjbaZx7AyD+vjBPV51J6flaji3X2vOKk kdLXIfeuzFCg1q9xqu/rJfKXZ1eXjLbVB5kMVQd9rP0mcKUUPAK7gw8qMQEmCoUu 6m0k1IwZAuL9Gww4DtlvYnUjSV1NcNEuVgLi0WjShQ7rGKC6hES1LKsqCOIkeRQJ t1kDLFD3lwjKV9JuViOVMfKFQbzNEuBbW8T6kaE/Mpd5UCZx1t+GtCJJQqnuBaum RNmM/ukLQq5SGBD9RJt3chPjtgvEAnkiCcLLLaY/NVS4e6XXLfkVCEtAmK6M+0xN VV24Qa81srU7GF+rhvy0 =zyvs -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] FOSDEM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, Just a heads up that I'll be attending FOSDEM this year (Brussels, 1-2 feb) if anyone is up for a keysigning (either the official KSP[0] or a meetup at the event) [0] https://fosdem.org/2014/keysigning/ - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Primum ego, tum ego, deinde ego First I, then I, thereafter I. -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJS4VP+AAoJEPw7F94F4TagO0kP/iN8owmzNjmlc9WTdsuLYiqk u+QG0aBk2hV8hrseBBTc1fzUdI2OgPYyuHCTsCe4MvBR5AlnEyRKpQ01O7Lm4quz Tj+rJC8uCPi2P8r+/5cFFy1xdzsOqNWOAXWkmtV+Jr8fuIoGw+9Wg3L+7tNxH0Bz aOenHLW2QurpNKzctu4tnlwmFEohpU1OKcuX7GDv0HT9sXqoarkAnZ8qFrv1XqkS j4pfwZZkftAq0RI2og65mKSOg++jBUQX6IKI0MM63Qesz08XE5UYcnx7PJts0Ivc pqjjl5nf2PlHXy6qm0ApOcXoK76iEvvBN3efJN+rIygMJlU7CcazXQUXyyQYNHUE pUevok5GL0nRMnYjvCi7or0LlFnWTefOhlLJhcDL/Tg6prOhJg4cDBikTusYRx// BhOdcX24tTGQRyQzZMT633dLR2TjZv0JXHygpAeFqPMp7HjSuJ1ng7Iii4KMOPGb RTYT2k7aDDfCU9h6rIWqm2XLAU9CncQzZcdBQbtiJ5PIG6wIYu+3knw2IN+YqUwz rcQ2EIwqJfSY7CySCJ6TtvZOZ5f2bnw+bSffSM6igTBKedDLaCX5HJy+jjB4FP6G T+ae/c0/+6iBaoo+3n2OSrYDQ2WmmqOx7IXMfOKYfio5puZyZqzq9vFxMtNi/Ghk Yl+r58K1HBsrf5/R5gMS =OCUJ -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] FOSDEM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 01/23/2014 08:34 PM, dirk astrath wrote: > Hello Kristian, > > It would be nice to meet you ... Probably I'll be at the secure-u > / CAcert stand in the K building ... I'll make sure to drop by > > ... And at the key signing party ... ;-) Will certainly be there :) > > See you at fosdem ... Looking forwards to it - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Dura necessitas Necessity is harsh -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJS4W92AAoJEPw7F94F4Tag1IwP/1kzSxqKdhC5odOmyv425/ZE wc+KzLznFWgULJzHbyKSJLSrGrMOMFcMXTWw/ZAmASbmejnCqNSU3miQF2c2I4uk HQlnNOE7X0bNUPg5tlcT9wIYCcs4eLKRvb5oia/tWx2RxqFICo3Wb+u9DTOBlFqM zbgMbMymMD/INum8Grc04kGoiHk4W/2ENafo2wAKHysAAE8ag+Rhl2wqqxCoAK14 KHPq8+/XCcR4SwAOOkKeOUIFqTcRKbEj0zN/dkl9nuEM0fkwPFcC1lHb3DBad/qv ODCHvtTpLhCbiRpNkMfb2L7i7VaSrzimucRPl9N5xlOfDIsJwYVSL9YKsap8wHZL sPuflezptTEBtofarJBAnQJpUzlpCeOkVPzrPJoImUuIG1zSCdhW3uyApADFwUmB FnzjAja/3NfvCfMLYZakbPuCKqYVwSAuWYbVUre829dzz/wPmyBFxZzEt5MXW/gQ Du7L10WdGG4x5u5BYj5puYEvWRI9C/U0K4EGbN4q3q6P/tI19Ib4hMr+m3xM7xM8 wWPTYdcX/1a3sVuDK7in3f7bXoLkgMqXQUNc+t6AIpF7SdWOXkklbW5kW7pqAU42 yk3vHZljKazlixoIM8jXPvl9uQBAHJjUfb/9U2jeFq9w2Ap9MbxS/DHG2KITqSfv t3QsPcKp2kGsxNIYWbwc =00Ij -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] OpenPGP key statistics
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, I got curious about the current distribution of keys available on the keyservers and wrote up a quick tool to dump some of this information[a] from SKS yesterday. Since this might be of interest for others as well I'll include some of the findings here. The full post with main results including some charts are posted in a blog entry on [0]. I hope to get around to digging a bit deeper into more information going forwards, in particular taking into consideration subkeys and expiration/revocations (I just have to figure some good metrics to look at for this), so please let me know if there are specific things that might be interesting. A snippet from the post: The overall majority (94.74%) were Version 4 keys c.f. RFC4880 with V3 keys representing 4.73% and V2 keys representing 0.53%. DSA keys represented 74.4%, while 25.6% were RSA keys and a minority ElGamal (0.03%), Elliptic Curve keys (35 keys) and keys in the experimental range (32 keys) . The key lengths spans from 3 keys in the experimental range key with algo id 103 of 224 bits to 32,768 bits (3 keys, two of which are RSA and one DSA). Due to the low occurrence of ECC keys (that have an expectation of lower key lenghts for similar expected security levels - - normally in the 256-521 bit range, although there is a strong possibility that the aforementioned 224 bits keys should also fit in this category) I have not done any adjustment for these. A full 77.4% of the keys are included when looking at the aggregate figures up to and including 1024 bits, roughly 2.7 million of the keys, and the corresponding number when looking at a 2048 and 4096 bits respectively are 95.3% and 99.95% of all keys included. Endnotes: [a] sksstats is available as a patch to the current SKS tip in my mercurial queue at https://bitbucket.org/kristianf/sks-keyserver-patches/src/tip/SKSStats?at=default References: [0] http://blog.sumptuouscapital.com/2014/01/openpgp-key-statistics/ - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Acta est fabula So ends the story -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJS6TyqAAoJEPw7F94F4TagdpkQAKyDGb3ExP7pbeEt37ObrQl1 25IFJQaHFiGr2e2qoLel8d2YiW5/COyqZgYM0sE2llDvJsTVA/nr1Wm3tAX19nV2 MmOE/WzZDs9JNT5HuWCc7Twm4M6NcbxLTvvbUQ4xsV2dfRQPNDRfTBY3HZw3VPgb P16uN6ryF6Xk5YubEkt3sm+5qFKw1AJmONmnDMSQjLqfKyKnTOLcXIVA3fFFJv0i gHPlblKAI4DP00kHaF1tGQtOqBHj5LbHH7f2UHsfJwvz75T/VLg2mElqQN6LfIJh TqZrilE2a9XNZEXaPvJlMKEseQJpaQsy7vlizPJxPrq9uPCK/svHLVH2u4PQsdGc PdSl3/5cFxsnr9Z4fwV2OijuWOpTBFucNI7VqhEjt212P/bQEPbTpe5hbkKcyGFp Q+cZvyjXH8YnQxigW8oQRZUS8in+BKcEW3/qkyo1S+ZOB54Ih6Qkcmx5f9WJZFP0 0Cy4JybQJhcAXPhCxkswQf2S0QCzHcg7q6jb16Tbze7NWAMsN++CrJgBo4osGa9Q g95DKuUndIELJUjUtuaVko0VjvxZuXVrTTntWqhqw+Cie+H3o1uRvbtmDCaxk1vr oc0FdFHOsNBIr+zBvkJ3GBS30jGYSw+e2aG/RSWENkSIQDIelFr8vVnVl1vU87uL 1zBFYvMyl1hKcCCtdZra =XRAs -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Keydump makes DB unavailable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 01/29/2014 08:51 PM, Phil Pennock wrote: > On 2014-01-28 at 16:54 -0500, Phil Pennock wrote: >> That's off the top of my head, but I don't create dumps (my >> recovery strategy is to use the dumps created by others and let >> SKS reconcile). Those who do create dumps may be able to help >> refine this. >> >> Perhaps we can add a wiki page enumerating a debugged list of >> steps? > > I've _very_ quickly thrown together a basic page, a chunk of which > was copy/paste from that email. The page is not yet authoritative, > but at least provides something as a starting point to be refined > and improved to get towards a state where people like it as much as > they seem to like the Peering document. > > https://bitbucket.org/skskeyserver/sks-keyserver/wiki/DumpingKeys Indeed a very nice start, thanks for adding it. > > I don't know what the privilege model is at Atlassian for editing > that wiki; whether anyone with an account can edit, or only people > with repository permissions. Minimally, we have something which > other committers can refine. I don't have time to shepherd this > now, so please don't run changes by me! If you see a problem, fix > it. :) > Anyone can edit - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - "Be a yardstick of quality. Some people aren't used to an environment where excellence is expected." (Steve Jobs) -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJS6VwwAAoJEPw7F94F4TagU7QP/2CyIF/nk8UXYdmnPpSz/L9Z 4jL7NVvLqYDtKdcSx5aCaRTCE8CQ7T5UG86XcZio1p2C+x5RDzAsPG/KHsZdV1Gf pGbGKXi9ndCnwYDW0PX7EiLHUGMzqiiJOGoobb1UWjsZiIj03cHu6up03zXkKPip MLD4bB7a7yvt12YQcQbRDcqxDS1uvpWGLR4mBP77sxRrch8XTvTrpvNyW9gW+0yC Ka+v03JIb1U2dVbB917sd3mBwV1olnOCsqt2ThiCcJGJPz9Jc4jfnSvD1iXj+9nb 0pZu+ajl+7wfV9Jy7SMWFmZHjvfcrseGsjIraj1gEAsvaP/XecYMqZFLVytUI9LQ +NMYv2HLOXjzAQUO24LjzJittRtoZuC2xwKKxj1upEWjRvMPFmRuNARY43SiyqtF wJjD0YO+f4FtiOkIR9hbL3va+McfKAXFZBiDr+UXIwZ3+laLFLUEiKFeMtGVAiNm 9kcfjr5qVvRZb2LOLyHmeC0wyJFD8X5kyJh/B5N9uFHtdURh+yiqulie8PNj/idz H/HWIddr50fqKRdSaAPc7y1jFU34JhItechvIvzw7/yn2GzPTaaXT5q7j+CzfAzd OQZ2EMbMRhbEiMNl02HedaEP/QduvgkQeFNzVhmywSpQHriZuMR6Wur7utiy3Iuo 5y+yUPzbdL6e5DI6MjuG =Yr8Z -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Protocol Details for HKP\HKPS\Gossip
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/09/2014 07:00 PM, Benny Baumann wrote: > Hi folks, > Hi Benny, > because I know this might get a bit complicated let's split this in > 3 parts: > > 1. HKP: AFAIK this is based on HTTP/1.0, but is there any > documentation on what possible calls could arrive at the server (in > the logs I noticed /pks/lookup, /pks/hashquery and /pks/add, but > it's somehow a bit troublesome to re-engineer the whole API when > one was going to write some own frontend or caching interface. How > accurate is the description[1] linked at [2]? The protocol description should be fairly accurate, although some additional parameters might have been added since. In particular I'm using /pks/lookup?op=stats to determine inclusion into the pool, which isn't documented. I'm doing this by parsing the HTML, so any deviation from SKS would make this difficult, although I'm open to adding e.g. a json alternative e.g. at ?op=stats&options=json. I'd then check for an expected format or do a fallback to the usual HTML parsing for these servers. > > 2. HKPS: Any difference from HKP aside from tunneling by SSL and > the pinning of the CA of the certificate? Indeed only TLS-layered HKP. As for the actual implementation in my pools see [0] > > 3. Gossip: Is there some documentation of the binary gossip > protocol? Having a rough look at the TCP dump I made for testing > this looks like the OpenPGP data is sent in the clear, but > unfortunately I didn't manage to get any more out of the dump. But > given only the algorithmic description [3],[4] it's not quite > feasable to come up with a complying implementation. > I can only recommend looking into SKSs implementation of this. In addition you might want to look into Hockeypuck, see e.g. the thread at [1] as I understand Casey et al is also working on an alternative implementation. References: [0] https://sks-keyservers.net/overview-of-pools.php#pool_hkps [1] http://lists.nongnu.org/archive/html/sks-devel/2012-11/msg00037.html - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Docendo discimus We learn by teaching -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJS99I4AAoJEPw7F94F4TagiikQAKzFHm8a/Eb1FI/925onE/tG xV/TPwdqrIAm4PCLVRUAqP5gP4yiiz04uE2J0y7gn3IwCWzOxzWvDLWMp1hL8RNE A9aAA4oCYdfjfeR3N2zxhc3nGQM7adFnp7s5zKjF4jaXoBk8U94MgmDD+cxQIVF3 iDD30CVc7LAexyhYxfl6TnbffXhZlvsKp4iKZIBVgeUrhrqzhgT7XuxO2nNjPGSh YrGzNnLRtU2G5oaBItO8Q24GgV+Ya55IHGlcy6Lapg9XXHk45Z7fea6Y7HzGpuLh VqI7fkFYX6fvzPOMtPF/4KdRlI9LdifbTbUn48eZZf2flEraCOfpm/CcYVcz0PRz yFLFRPqYO2vFvZsJNRsFBYLGxZQME7RhZH90+YPDja+rpwQmWKoRUR9fedLUONLf bLMh4nLX+0myvb+/MyEDBgQuvmEQvdE32881K0A/pmuSR6Wuic6PLymm7BJ5nzjA 3FI00VFO9KVy98anECu9/DBEpebQD79yORtDSPDNpDeIA/GPzsCEbIIgFwOYppvi NF8SgM3EQnYLtqDV5onThqiLR/d0k2TpEymBx6Q0O8VQjiEdurHEFVfl7y2u3NiM thNUvNvIM993Li7sbvXIMqtugh/HX7QjAjKo9S2aDj4m3+66np1zJPtnl658uPgy ld3ZvABfJFBFPJFR2YKK =l0Vi -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Tuning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/11/2014 02:38 PM, Christian Reiß wrote: > Hey folks, > > I have some questions on which I need some pointers. ... > > pagesize and ptree_pagesize. These options are used for importing/ > generating the db and have no effect on a running server (or?). > What would be good pointers in setting those? This at least has an effect on the number of mutexes used. We changed the defaults in 1.1.4 so any build after this should probably be OK, but the ability to define them in the conf file is necessary to provide backwards compatibility with DBs built using different settings, but not generally something that is recommended to be changed. > > stat_hour: As far as I understand, stats are generated each hour. > Why specify this? Are some more special stats generated here? > By default stats are updated once a day, for more than this you need to send a USR2-signal to sks. - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Ad astra per aspera To the stars through thorns -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJS+kZDAAoJEPw7F94F4TagdK4P/RyY15gWzKEIxk40YWUHu8ue F4+MLTzvcm974hvNU0BQ+OSvsye7tedxUFu4mpFJX1fz91XaJ3UB/HCS30WeV+No RX8+SwddFluLXFsC3WiAgm9evv91YpanmEfpOFHVUcVCMsPtLfDiBtF1KxhetDC3 7mEGLQF9igUoKDfMw2RWgk5D1aA1KN01uN7b67LTHmFGdckfMMxUL6BoO0EcfqR5 IrO53VEn/sFtrOTbNd6gxTKLnqSetar6dP34Z7Fo3y38CdJY+rKZXKt4GmnYa0+f Zbv/VoRQI5EpebJ9ManV8/AYuyFuJ7W1z3enS4a1PooHLkC4fZYO9O4rBk2p28uZ HRK4Dw+CuVl24hY5DmsJaX7OFh3lLkY6YFug2BfqydbXxdEuI0AXAm9hnGfmjDYu GXBJYBBqDC3l19Kqc+NvygiuTqA9pTm9hw9G+OaF8ykLNMdZHY3LrvAlW6xEKxDQ g7CWxVK4jdqLXhqVhr7ScnxH3ool8KrVgnMIB2yB4aXQ3swyZXru31xolEH2n5/D u6PikWr74XkpudkkyNjWKdiUXuFC4/eN4q2DoaBQgG0p1FrdIrtR+JESYZ7uYqij d3N9fyv6saQoqaUHMJySWQqylNfcF4SFKX2alPvn8XTOK9uIgN1nJMAkL08dBCI8 tfisOEr+4ka3fj8Pb8hq =42VM -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Tuning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/11/2014 04:53 PM, Daniel Kahn Gillmor wrote: > On 02/11/2014 10:48 AM, Kristian Fiskerstrand wrote: >> By default stats are updated once a day, for more than this you >> need to send a USR2-signal to sks. > > In particular, you need to send USR2 to "sks db", not "sks recon". > And note that while "sks db" is calculating stats, it cannot serve > HKP requests. It can take several minutes or more to calculate the > stats (depending on the work pattern of the machine), so during > that time, your keyserver will not be responsive. > Unless you run it in a clustered setup where the different members calculate it on different times and the frontend passes the request on before timeout :p I wonder if it would be interesting to record the update stats times on the servers and use this for exclusion in the pools around the update time somehow. Are people experiencing any difference to the responsiveness of the pool after switching to requirement of rprox? And is it worthwhile to add some kind of stats update detection, or is this issue so minor that it would only add unnecessary complexity? One thing I've noticed is that the number of servers in the pools themselves fluctuate throughout the day if there are larger additions in number of keys, as the servers updating once a day gets dropped for missing keys to the dynamic stats. But with the number of servers we have today, from a pool perspective this is perfectly OK. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Ad astra per aspera To the stars through thorns -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJS+kjnAAoJEPw7F94F4TagW4AQAJXXUAeAO1frEa3gwzRrM3Ri +RJSQkR5rCfn+scbsUcSxUqRLCoh5SxQH+2cyg4uGUh5aus6hpnWnOaM1eObkWOC aMMiyHMaSthcztmTa8WIbuW8QzdMrHVjYtcyfEmdY8GB2zdexrNXsMNxxQZnlv6U 6oNOYHEfw4G8//6hvs/3PGwVxGG+AWaeusdLnYXpgtmWIdt2JdvgpUpoGG9nojqa y9AnWi1W7ZFTaBWUl+Rb5yXYUScS+pKbwLmRD81Os5lx0Ee+DQv3x9Nbi9M26UP4 xDaGGXPhIembihe6XaB+tseixYD8p0pGcS6aHWnVpkWZ4isFEBHxtS67yULyXrk2 hkMYMUE4/moBDOJ3IC7yXHKQVWrL9ODf7rDeK8hpMPJBLtLu+SzV0U+K8UzwUfqM VkVA6jy8lAPW9RLqwlh2/J9LnTy5D5MuC2UyQ+G9NX/IrHDa6T7lLCOHDAgvR2qw +667rBYKRbJF9KTNMDhiuwdI6FT2cq1jMPaDdsusJJbQ46xi8lQG6iHOyqZriKoM gGix8i2byOI4f3BHsiZVJctafZI91MvXoXQU2NVbbofiZKxf1frfa9lUXsJbxjBz tueiNPksQ6wXcGI4sm9/m741QdjDMXJmJejHEePkvRZbFVKC/Y5L+GZMnfjr5AIT LkmSjneGn2UU1EDmdrmH =Qn3S -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] HKPS configuration?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/11/2014 05:08 PM, Christian Reiß wrote: > Hey, > > I am not saying it can't be done. Yes it is possible with your > setup, but that some clients to not send vhost/domain data along > with the request and expect the hostname of the sks server to match > the default cert. So unless you are serving the hkps per default on > your server you might break compatibility with clients. > FWIW, I do not enforce this in the hkps.pool (i.e. to require SNI is permitted), however this is the required behavior on port 11371 for the usual pool. - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Ad astra per aspera To the stars through thorns -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJS+luuAAoJEPw7F94F4Tag7IsP/iO3z+P5fxjmctxHCTnZHo+P KJpBsX/dToQnTRlobz26lllGImVR6ItyrcdW1jfr31SWqD8RDRqZHvVT8RXRjWpS 5FA11jgsPdXFcX8+TmWIylHm4UwwCb5okqfVfalTHekifE5pC1JOYMW+YbYm7aTF CzvMUDtbM8hYZMzRUIwv1FhjW9jFMhyiemH/a606gefabjJGZAXqE+V0jxoNzWxD Pnz8ZV9a4st3N5CrRg5Y28S5kHvX8bdXZEtNMkdczO3cq2aYgwHcYVzMe5T5zPr9 q5pwXVQ8UmlNEj59S1W/dHuFNjwePy+Cq2R92ylS9vrYtLqPPin2DfFBs4ogG7mV RGTns7j0NJbikYp2jkioHf+hOgP6wB9WAgw3YZ7XX+XTXBFqjCk7iqCF7Z0fOpu9 xEIBA8yL5nKDzRa5n4MaDmqv+58eT9g3E7EAScmZs9Z+1M8nuOfyMAuLPqnt/xRs Y+3LFLX06HegYsFLr+VecT6d6D9QS07EjcQ1Tcgt82ynS+0NnKXtuc+ZavzOyaHh miRffa0HOCBQdIjXG4bblCD2l3xA1Oy6w78t85PW78k/p/R9KVVH57v/mASRKHxH DxTSuhJfRiNT9JEB4WPosu/ox1cDPcofF5kyNcS1uQJkfufErR8WfP579Zgn110/ kKgecUUqOncvVIXXJWFx =PwaE -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Tuning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/11/2014 08:19 PM, Daniel Kahn Gillmor wrote: > On 02/11/2014 01:58 PM, Benny Baumann wrote: >> Am 11.02.2014 16:59, schrieb Kristian Fiskerstrand: >>> Unless you run it in a clustered setup where the different >>> members calculate it on different times and the frontend passes >>> the request on before timeout :p >> >> Its almost instantly for my maschine ... > > what is almost instantly, Benny? Are you saying that the stats > calculation returns almost instantly? If so, i wonder why there is > such a variation. How much RAM is available for your machine? > what other contention do you have for disk I/O? What kind of disks > are you using? > > On a pretty decent machine (zimmermann.mayfirst.org), i'm seeing > the following duration in the logs: > > 2014-02-11 19:17:17 Calculating DB stats 2014-02-11 19:17:49 Done > calculating DB stats Fwiw, I checked my db.log and the figures over the past few days are on .33, a VM, 3GB RAM updating once a day: Linux gentoo1 3.4.62-gentoo #1 SMP Fri Sep 20 01:27:24 CEST 2013 x86_64 Intel(R) Xeon(R) CPU E5620 @ 2.40GHz GenuineIntel GNU/Linux 2014-02-09 03:00:00 Calculating DB stats 2014-02-09 03:00:04 Done calculating DB stats 2014-02-10 03:00:00 Calculating DB stats 2014-02-10 03:00:13 Done calculating DB stats 2014-02-11 03:00:00 Calculating DB stats 2014-02-11 03:00:06 Done calculating DB stats On .27, a VM. 2GB RAM, updating once an hour Linux gentoo5 3.4.62-gentoo #1 SMP Fri Sep 20 01:27:24 CEST 2013 x86_64 Intel(R) Xeon(R) CPU E5620 @ 2.40GHz GenuineIntel GNU/Linux 2014-02-11 17:30:01 Calculating DB stats 2014-02-11 17:30:04 Done calculating DB stats 2014-02-11 18:30:01 Calculating DB stats 2014-02-11 18:30:04 Done calculating DB stats 2014-02-11 19:30:01 Calculating DB stats 2014-02-11 19:30:04 Done calculating DB stats On .6, slightly older physical computer, 2GB RAM, updating once an hour Linux gamma 3.4.62-gentookf1 #3 SMP Sun Nov 17 12:06:10 CET 2013 x86_64 Intel(R) Xeon(R) CPU 5110 @ 1.60GHz GenuineIntel GNU/Linux 2014-02-11 18:20:01 Calculating DB stats 2014-02-11 18:20:06 Done calculating DB stats 2014-02-11 19:20:01 Calculating DB stats 2014-02-11 19:20:05 Done calculating DB stats 2014-02-11 20:20:01 Calculating DB stats 2014-02-11 20:20:05 Done calculating DB stats - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - "Excellence is not a singular act but a habit. You are what you do repeatedly." (Shaquille O'Neal) -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJS+npHAAoJEPw7F94F4TaggqUP/36dMuVCBhGxsGuKmnJnfRCr LoCklIebttHyzuacphE/DsvHDEci2j5KGsTq3WzxaRnHomW9Lcz99qL2joXxAN26 rfNBmiGEEP3HZfct3jLn6rlO5dre3QgcGgacl35wQnuQq1oEC1r5nMgPsd+uf+DE O/VB1oi/wkZsyGqLiEaC1DeKhxfK7+7hKfTAVqfWDoX7idSBpfV7hE8ny5Do7Hju 7RVoGza/A+6WSwWpAaQsxuQeAvt6gWjyS/bL5Ud1jlUgTTSf/u9odVsgNmaaStO7 9vWT4Iyts/SuYbzJlKuzbbAmN+ID1KfoePCX/+CTM6qw2PHoMjqqB3LvvngooEbo fbGuWGhw/M3q33ruNV6RtONtnN4Qv9DQizWZPRomZxevqtzu1qicu9pHkGwoJgyT N1MmlxKEneFxBTWEz7++i85uIVLmZKAwYIdUwLPwaXc91JGCbOaC6Kh/WitSAuUs 33ZqJXvl9UVLiShTKH84wCoesS8QNokvlt7XutMMfNzLIdATbd4zuottT9xIL+Vh ky9/z1vg0mfc5pgnxAPkcMBewiuspKOCOLCPDESkNUBpCtdJ7dDh7aka/IFOVPyb IuyoYdNzwSo0adBjJAYjyEX0ZJWspf22fFJuciM3qUktj3nIjERa8IFPG6cnL8qR en67T8X2z/Cx0PD7m0go =iFzI -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] HKPS configuration?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/11/2014 10:13 PM, Falcon Darkstar Momot wrote: > On 2/11/2014 11:06 AM, Gabor Kiss wrote: >>> hkps is basically a 443 to hkp forward - I am using nginx for >>> that. Just be SURE you do NOT use SNI or rely/ need a >>> vhost/hostname as some client/most clients (gnupg) do not send >>> this information. It is actually only feasible on a dedicated >>> IP for SKS where Port 443 is solely used for https/hkps. >> My cliens have bad luck in this case. :-( I cannot assign extra >> IPv4 address to this service. >> >> Gabor > Why use port 443? Nearly any port would work just fine, and using > not 443 would remove the need for SNI while still not needing > additional IPs. > Although the pool software supports detection of the port from SRV records (and actually does, as shown in the meta data of servers), reporting these back to the users is currently disabled due to Issue1446[0] and Issue1447[1] in GnuPG [0] http://bugs.g10code.com/gnupg/issue1446 [1] http://bugs.g10code.com/gnupg/issue1447 - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - There are two tragedies in life. One is to lose your heart's desire. The other is to gain it. - George Bernard Shaw -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJS+p5WAAoJEPw7F94F4TagkSAQALSiq+UrIvvvmoCy+nXfIvPb PEmObO+m1Yadg4F8RM+4fFUff+00GBtSnrduCHew5LnZcFnBj8R8aNwV863ZAZtf Ne3OiDBQO3e3gjHP05jv4UUJ1tclQIuRWYFQCCmqElTWQrixgFvl17V+4z0ZMd85 YxEB3G2Dvo11Gq4W8pkCkJsKk3EVgEl4gEWT68HzgsSXJNzDN/9+2bzZ1Wol179m wvRzFT1l3F1PeRDDcoPYqE66sJ8ejR7AWRXBjosAGLZLazYv15i8vqKQ3XrBQ+I0 DFYoGecMyNCe7b5IOmJRzLmLWChtGLlClm7WxYkYoNDqUGKRbRIkQog9KvcIuzhl iniClevhSZYViVMdOHDpbNLPXQuxhfcSIo+8p5R6Dmf4aoWVMHQ1vier6jlsCRn8 ckfhbeKPE849uaHfhyt80SsmXTIWNMQjcLCfu6rcmWrc0zX0bV9uyL95ZT2pCckZ fpSfHzXLJRnV+q5oJi0/JDXwgbqwjdTQvDMQp6+3UPGhcU95g7YsfKDuy18SGxsr yNXcTuS2habIS0yiCGMzc9JqR7thivCnVbKj5lFIV6EpCj5OvZgVPPZZTGA09i9A BlEApKU8Bo0gxYJ11JNcrFuydXbSsJyUWLQqjFJo5Z5xUT6c004OGi6LDAyxehYA o8168hTFRN1NpG070woz =J7Ng -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Network maintenance sks-keyservers.net on 20 Feb 2014
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Due to network maintenance I expect disruptions to the network where the sks-keyservers.net website and control system is hosted on 20th of February 2014. As such I'll disable updating on this date until the necessary changes are confirmed to be complete. DNS records will continue to be served throughout this period, but will not be updated. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Ad astra per aspera To the stars through thorns -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTAjYJAAoJEPw7F94F4TagfEgP/0P57QHqswfP18Fpi5VcN0RC 1SDHLCLu+aZRXPY+EacQskz869Vw1JgYJP2sSvIvI0XDyja5rZo13hRaCY/R1+s7 kXrUjyCHKtVCW8WpGUrsynfWFyMQXlZQPnodnb0e+qJ8OsVKpeWwGK562B4VUZED FRi3h+TlW/PHIbkBG5ckt7cwnfyCn+8RHzsCWHafGhpIgbYVjygxbXKiCknbLQii SMNaKeIJ54hA5PKHHjQnArwDiXlFCO8Sl/ZH1geWFcIfiNir+bvGRePn1EooAPP8 VJAnwDJW/XuMXdEhTsG+zbXUZ3XX+wmXIYtaG+B3d3a5jytHXuOSD3X13AP5M0zl 46Adk3oKbQQPdIKaQoMw/5KgV1WZBq2JidUQGb7nC89PCi8KysZabQpf4um1JKvN tR/qCyCjW+/DuplLdxIF4BSmFW3Qf4d0x0NNL2JAUoSpUh/TOIpEw9bqmY+/3IZA qYDpPwnUtcNk6gKZfo+7Nd2ekRd/03vo9FuN3B07hOjxfz3FMhVjNJc91ZKDegAk +4txCxYj+ZmC9gx8mL9pT6iUMTLayJrUJVkyTjMsSwBQKp/79mpn8fxshBnYz+hC VTqFvEzCgfqOycHUuT2WwkAt9Sf3jh7NabDOFK+7wPcxTELNWj3xVcti2izMh7bm FH+B1cqeJ5zlv88kIn9F =Purj -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Network maintenance sks-keyservers.net on 20 Feb 2014
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/17/2014 05:17 PM, Kristian Fiskerstrand wrote: > Due to network maintenance I expect disruptions to the network > where the sks-keyservers.net website and control system is hosted > on 20th of February 2014. As such I'll disable updating on this > date until the necessary changes are confirmed to be complete. DNS > records will continue to be served throughout this period, but will > not be updated. > The scheduled time has been moved from 20th Feb to 27th of Feb. - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Nomina stultorum scribuntur ubique locorum Fools have the habit of writing their names everywhere -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTBKV1AAoJEPw7F94F4Tagc7gP/iVVT+njfam2KT7pv1HKY+35 N4j3CUcyj2UDG+75PHjjZarNCBMt8B6TdHXSxQ7iJUAnhWhIF2hP0mL+ls8FXyce td4RKbFaTq/ihueSyOXmqYA57igP40pIUZWbXQumKFnNr9baTR5NTjT4erXiICpG OISkGQDIFcNIzxO0QVCvcySIbwCNMGDnRxUMq3to57MSaSvhD28GLwq8YDZn+y19 Mur8wKtU9Lt0WRJtfIDW1+iQuk9sOR4mr8M4Y8a7HLsTMcBR4jhTkRvO9RGa40QD pOMxyXCzlueGrXICCnxb19V/vjk8sZrV/hxyLvfgJJRo/Wvu5lmlsOe7Qvq2F/N2 Mme/+OJJMJ4GAdfKTebD3NWAFkQW0o/Ucl1LUT4cbACWBy3m+jiZg8M9YTm90mw1 J6KjlEH6KByl2o7/XXr1HCfx44sUvZBQgXGQ6qlXjNfrZGU2pJ/MzVz0+sJB/ixj 0cxzbSimKGONm1maPXHUpjS5WxNj+peawycGOHkYGnhRX3HBw2w1jmGh6jU4rbdO pu+v+S9aXLPRdBuinwWNZMLP8dwAbf59pAjpK8/+6B9rTnwbbBSOHiJFpIRiMWlO 4LE1RiKHeYx6Cclj68XrTK1l4nyjC33P9cgMMV21uRVZec2Pa2mkyj/z908GnBqv ILSUE63gjuj3LJXeiT9+ =ebMw -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Network maintenance sks-keyservers.net on 20 Feb 2014
fyi, the website and updating is currently down due to firewall reconfig. it should be back up again the coming weekend at the latest (as I might have to travel out to the facility) Sent from my BlackBerry 10 smartphone. From: Kristian FiskerstrandSent: Wednesday, February 19, 2014 1:38 PMTo: sks-devel@nongnu.orgSubject: Re: Network maintenance sks-keyservers.net on 20 Feb 2014-BEGIN PGP SIGNED MESSAGE-Hash: SHA512On 02/17/2014 05:17 PM, Kristian Fiskerstrand wrote:> Due to network maintenance I expect disruptions to the network> where the sks-keyservers.net website and control system is hosted> on 20th of February 2014. As such I'll disable updating on this> date until the necessary changes are confirmed to be complete. DNS> records will continue to be served throughout this period, but will> not be updated.> The scheduled time has been moved from 20th Feb to 27th of Feb.- -- - Kristian FiskerstrandBlog: http://blog.sumptuouscapital.comTwitter: @krifisk- Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.netfpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3- Nomina stultorum scribuntur ubique locorumFools have the habit of writing their names everywhere-BEGIN PGP SIGNATURE-iQIcBAEBCgAGBQJTBKV1AAoJEPw7F94F4Tagc7gP/iVVT+njfam2KT7pv1HKY+35N4j3CUcyj2UDG+75PHjjZarNCBMt8B6TdHXSxQ7iJUAnhWhIF2hP0mL+ls8FXycetd4RKbFaTq/ihueSyOXmqYA57igP40pIUZWbXQumKFnNr9baTR5NTjT4erXiICpGOISkGQDIFcNIzxO0QVCvcySIbwCNMGDnRxUMq3to57MSaSvhD28GLwq8YDZn+y19Mur8wKtU9Lt0WRJtfIDW1+iQuk9sOR4mr8M4Y8a7HLsTMcBR4jhTkRvO9RGa40QDpOMxyXCzlueGrXICCnxb19V/vjk8sZrV/hxyLvfgJJRo/Wvu5lmlsOe7Qvq2F/N2Mme/+OJJMJ4GAdfKTebD3NWAFkQW0o/Ucl1LUT4cbACWBy3m+jiZg8M9YTm90mw1J6KjlEH6KByl2o7/XXr1HCfx44sUvZBQgXGQ6qlXjNfrZGU2pJ/MzVz0+sJB/ixj0cxzbSimKGONm1maPXHUpjS5WxNj+peawycGOHkYGnhRX3HBw2w1jmGh6jU4rbdOpu+v+S9aXLPRdBuinwWNZMLP8dwAbf59pAjpK8/+6B9rTnwbbBSOHiJFpIRiMWlO4LE1RiKHeYx6Cclj68XrTK1l4nyjC33P9cgMMV21uRVZec2Pa2mkyj/z908GnBqvILSUE63gjuj3LJXeiT9+=ebMw-END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Network maintenance sks-keyservers.net on 20 Feb 2014
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/19/2014 01:37 PM, Kristian Fiskerstrand wrote: > On 02/17/2014 05:17 PM, Kristian Fiskerstrand wrote: >> Due to network maintenance I expect disruptions to the network >> where the sks-keyservers.net website and control system is >> hosted on 20th of February 2014. As such I'll disable updating on >> this date until the necessary changes are confirmed to be >> complete. DNS records will continue to be served throughout this >> period, but will not be updated. > > > > The scheduled time has been moved from 20th Feb to 27th of Feb. > > After a bit longer downtime to the website and updating of the pool than expected (although not the running pool and DNS itself) everything should now be up and running again with the new network config :) - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - "I have always wished that my computer would be as easy to use as my telephone. My wish has come true -- I no longer know how to use my telephone" (Bjarne Stroustrup, April 1999) -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTF3Y5AAoJEPw7F94F4TagdwoP/RRaJd0l1EC1CXSTOMDyz9Kv w3g6XIPZdC0wTNaBFc0etnAQT6dr3+Wu9vVxI82M2QtrOlH7Nu17472a5fk4zLMw 0MT91EkLUyE+IoozcmVKKq2l7a3bn3no+E+aKWt5THtbgcPoZUKkIFNdtohscTXj EKVAB8zG5yIjPyNM2AIKK92h55GrQCu60jU6tdAAv35sbvAxWdtW3YqUqghlbTMp DcLtiNe4mvIwDQA7eGCEOj6W8WlFNqRZgrY+84Re8Tp5T/x1M70jsSw84ztkxPFe 7cAbuR26+tGpf1vEIobyoIcvugugsn8lmH2c2rl17Kp+WKmemueAF3cbBuOnHPJ/ Nha3/LoKj3SEX2CR5PyPz+X0osbnp9RfbIeSPjCYvrnOFoklRXP2AF+9kxrfNkWl dWowVtjYYxXffuBgU6/A3U9paBxGRKFD+DIQbZZoVN+a6iByAjJv/1EEWLGdWaAI 1oqeI+B1wbkXh5M68rx5zj+HK8KQMcVEY/VhWYItgdiUq/8JM/2RaGqgyryvtHr/ cRQk98+UAIZ5jD6TJL9LeHPbsK147t2dt5MFSliLnucjSHGVIZU9LdiyOqo4a5t8 rcc2W4NrvkbBlimv1CoF8W3dlN7R2nJgtxLsOeNyd2bQ8E0m5F1eW9GdW66qix7s FDp7TNqPSJRPnhr3hgvH =+aaW -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] SKS peering request [sks-server.randala.com]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 [Please do not top-post, it makes it difficult to follow the thread] On 04/07/2014 05:12 AM, Martin Papik wrote: > > Dear Phil > > First of all thank you for your exhaustive response, it's much > appreciated. > > I'm running it on real HW, so the Ptree issues are not a problem, > although I am curious to know why and how such corruption happens > on a VM. Is it because of something specific to SKS or DBD? How was > it fixed in 1.1.4? It relates to the timing information in the kernel clocksource not being accurate enough in some VM environments, so one of the workarounds is to use the tsc clocksource. > > Second, with 1.1.3, are ECC signatures lost? Meaning if someone > queries my server running 1.1.3 for a key containing an ECC > signature, will only the one signature be missing or will there be > problems syncing any further signatures? For signatures the ECC signature will be gone by default, or an error will be shown for a primary ECC key. The keys will synchronize and the full key can be gotten from a 1.1.3 server using &clean=off option that disable the presentation filter. You'll find some details on number of ECC (primary) keys at [2] > I.e. will the whole key be lost, the ECC signatures only, or any > signature after the first ECC signature is added? Another question > that occurs to me is, how many ECC signatures are actually in the > wild? Are many users affected? If so, I wonder if the logic that > selects my server for inclusion in the pool is doing the right > thing. Mine isn't the only 1.1.3 server included. So I wonder. ECC safe pool is the subset pool c.f. [0]. The 1.1.3 requirement is set mainly due to subkey safe searching. This will be bumped to 1.1.5 once released. > > I can't do much about OS packaging, it already took extra effort > to get 1.1.3 on the current stable version (not much, but extra), > maybe somebody here could undertake the effort needed to backport > the latest SKS for the stable branch of ubuntu. I've never done > anything with ocaml so I don't feel qualified to roll out a > package. Not even for myself to be honest. Or rather, I'm not in > the best mental shape to be responsible for such a thing. > > So the question that sticks out is this, am I degrading the network > by being included in the pool with a 1.1.3 server? If so, what > next? 1.1.3 should be reasonably safe (in the meaning I don't have any immediate plans to discard it form the pool), however do note that 1.1.4 was released in October 2012[1]. > > Martin > ... > >> I believe that Kristian is currently trying to coordinate >> getting some final changes in before a 1.1.5 release which will >> have enough cleanups and improvements in ECC and web security >> areas that it should be considered a "really really should >> upgrade" release. It would have its set of improvements, indeed. And you're correct in that I'm in favor of a new release soon, although I must state the disclaimer that we haven't decided on this in the team yet. References: [0] https://sks-keyservers.net/overview-of-pools.php#pool_subset [1] http://lists.nongnu.org/archive/html/sks-devel/2012-10/msg00010.html [2] http://blog.sumptuouscapital.com/2014/01/openpgp-key-statistics/ - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Qui audet vincit Who dares wins -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTQoA8AAoJEPw7F94F4Tag9wUP/1F++7EJu33NsjCaj+0KSo4/ DFiiD1PXifp35KyCBsdV4fLxAgeen7bdMq08qbaTp8CAiK4MK4O8CNOj359s54sN JI/hGIdMrcoTJp1RfCEee+9tdSiq0AIfm8HhZ2wdKcBF5gg1jumAV/wxX00V9rw3 KB+P+r83m6nS+BKMzAljKjX/WbFTr+7o13LKv1NSJO9Dfkpd2eLszCDAfVWixKw9 Tj0YmCuiKoQLIUDeWr8qQob4GSfLlLaBuuqBqn0SJNpQivo7pvF10mk5Z1bNkRhh qAWBxMKVLNhnB7ke1o2j5C5mkMg8LdgHUnWw4bIj3O/YRSXf+Q+A6QdhijOryh/J IKwri/xp2vdIE6NnPs7NJjg9O8zup0kRqE+f8glI6txmXFBzoNS5NjWPStewl13N 9SRixLiOTFkZoQ73QvBKu2IHcX0Z8yk9vGP0uR7JGbPKNC5vnBA7ZvImc+HJ2rqw ouwPvpmv8wFnps6CClDKlYS6VGi3gCQIvdnDpdm6B5lrshHDpRLlQmpKIWRoa0OQ 0tNnBmPb8ziQJDyGCmbOzh6bQ+54uGAjhi/Zvc25Vj0ORuDzIOKgscbkHGDb0lY7 IpOWEkCw0VCzUp4q95JFSR0cLF7qWJ3EvPR/9ODztuW3SM3OD2k0GeeF1IWVgQc2 VvfNFrGYUH699OT2uHrA =E96u -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] SKS peering request [sks-server.randala.com]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 04/09/2014 02:36 AM, Martin Papik wrote: > Dear Kristian > > Thank you for your response. > >>> Second, with 1.1.3, are ECC signatures lost? Meaning if someone >>> queries my server running 1.1.3 for a key containing an ECC >>> signature, will only the one signature be missing or will >>> there be problems syncing any further signatures? > >> For signatures the ECC signature will be gone by default, or an >> error will be shown for a primary ECC key. The keys will >> synchronize and the full key can be gotten from a 1.1.3 server >> using &clean=off option that disable the presentation filter. >> You'll find some details on number of ECC (primary) keys at [2] > > So all the keys will be in the database on a 1.1.3 server, but > searching for ECC keys will fail with an error, and ECC signatures > will be omitted due to the filter which can be disabled with > clean=off. Did I understand you correctly? In which case, a 1.1.4 ... yup > server that is only peering with a single 1.1.3 server which peers > with the networ will get all the keys and return correct results. > Is that true? Will a dump on a 1.1.3 contain the ECC key material? ... yup > >>> I.e. will the whole key be lost, the ECC signatures only, or >>> any signature after the first ECC signature is added? Another >>> question that occurs to me is, how many ECC signatures are >>> actually in the wild? Are many users affected? If so, I wonder >>> if the logic that selects my server for inclusion in the pool >>> is doing the right thing. Mine isn't the only 1.1.3 server >>> included. So I wonder. > >> ECC safe pool is the subset pool c.f. [0]. The 1.1.3 requirement >> is set mainly due to subkey safe searching. This will be bumped >> to 1.1.5 once released. > > Which requirement is this? For the ECC-safe pool? Because > otherwise this seems to contradict the next paragraph. the subset pool was linked as reference [0] > >> 1.1.3 should be reasonably safe (in the meaning I don't have any >> immediate plans to discard it form the pool), however do note >> that 1.1.4 was released in October 2012[1]. > >>>> I believe that Kristian is currently trying to coordinate >>>> getting some final changes in before a 1.1.5 release which >>>> will have enough cleanups and improvements in ECC and web >>>> security areas that it should be considered a "really really >>>> should upgrade" release. > >> It would have its set of improvements, indeed. And you're >> correct in that I'm in favor of a new release soon, although I >> must state the disclaimer that we haven't decided on this in the >> team yet. > > Do you have a time frame in mind? No specific timeframe, I have an outstanding pull request on its way into the main tree, after that I'm ready to go after some release preparations, but it depends on whether the rest of the team has anything outstanding. > > Are the planned improvements documented somewhere? Are they in the > repository in the TODO file? they are in the CHANGELOG [a]. The todo file isn't really used, we use the issue tracker instead. > > Is the repository always the latest version? I don't understand this question. > > Is the repository always safe to run? I mean, can the head always > be safely deployed to be part of the public network? No, it is a development branch. However, it is mostly iterative and as such save, but "always" is a very strong requirement. > > PS, sorry if my questions are tedious, but I'm new to sks so > there's a lot that's not clear to me and I would like to make sure > I don't misunderstand something. I hope it's okay. Sure.. References: [a] https://bitbucket.org/skskeyserver/sks-keyserver/src/tip/CHANGELOG?at=default - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Docendo discimus We learn by teaching -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTRPajAAoJEPw7F94F4TagyxUP/1N7UcUr6KIBkF/rxBF9ebN0 OmjE4HpA5J/s7ymrm74KuNYZUnVR7WLzCfe94mAEUDtWKfD/gxRBdD59ip4xLe/G HyL9xhJ/fDW9uC6OAMPB0rxm1vpptipVKf7FtHaJsiAVIb9PLHjZHATNNyTmQpDx aJ86GXsJaWaLQbF0o8QC92xjHF1aUVPspmS3jTrXUTqLMPxXmFtuLttuL4EzA+bb VycOUm0RB7F1e9E5ahQ75wTgS0HbmmkDD0+WW8P9LROwfUeF/XCJDXTCCYV0nsKc Litg9cTKuKLmAD1vwO526MXRxU2cmycki26PRAwIW+PT18xE+2LXBPrW/5zRrK4F lQOJTxd0GGN8tIeA41OIyqgQM2QGNi
Re: [Sks-devel] Problem upgrading from 1.1.3 to 1.1.4
You will need to remove the environment, it will be recreated automatically. See [0]. Also keep on mind the upgrade instructions in [1] [0] https://bitbucket.org/skskeyserver/sks-keyserver/src/4069c369eaaa/UPGRADING?at=default [1] http://lists.nongnu.org/archive/html/sks-devel/2012-10/msg00010.html Sent from my iPad On Apr 25, 2014, at 11:33, Christopher Baines wrote: > I was running 1.1.3 from Debian stable, and attempted to upgrade to > 1.1.4 from Debian testing/unstable. However, it appears the package was > missing a dependency on db5.3-util (as it could not run db5.3_upgrade). > So, I installed that, and tried again, but now I get: > > db5.3_upgrade: BDB1538 Program version 5.3 doesn't match environment > version 5.1 > db5.3_upgrade: DB_ENV->open: BDB0091 DB_VERSION_MISMATCH: Database > environment version mismatch > > Any ideas how to fix this? > > Thanks, > > Chris > > ___ > Sks-devel mailing list > Sks-devel@nongnu.org > https://lists.nongnu.org/mailman/listinfo/sks-devel ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] hkps.pool.sks-keyservers.net CSR
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 04/28/2014 04:42 PM, Kiss Gabor (Bitman) wrote: >> Eeeerr I installed new key and certificate then hkps status >> of keys.niif.hu turned into red. Could you suggest what should I >> check? > > It is okay now. Uhm Sorry for the line noise. > > Gabor > It should have turned red at the moment I revoked the old cert, and gotten picked up again during the next update run once the new cert was installed :) - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Nomina stultorum scribuntur ubique locorum Fools have the habit of writing their names everywhere -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTXnGOAAoJEPw7F94F4TagEIoQAI9J0djt1GhicZX0AuDN4+To peFgEPzyQN5vkc4WCM0W+ZLeWHSnbtL2exUWFjK99/AWqLXTnn9LqVvbJCQX/fzU soPlt7Pj9KXJDt7KhjTGhTBJD52B9Dp7L/TEuXPyvTIGZS2PHG0Np/OI7kF/YFlZ tHAX7Chj7E0SNODknh5AHweu2Jn+B75HVM5eREdn/CU9KC0fI0Gd8GJJSJWg+cZa 87wA1+6+4VgjSgjEEeCzZJBa9Avn1Lm9ug0Ly/jjIsURFcwRwu5bMEpjP1wswkaH 29fk4f97+Kw8PmNRE9NFMNeKLytcZNab7Q1JSwmu6r32I9gx56RMr1xOvo4dAkpi F99R0c7yg7l3/lUHEuaBbaDeVa/3uMpeH5yytczElkZV8iIxTVDtVh+hmKGbm7oH PsCQm0abeThW2t8ifAKJrERoBn8Brzi/am1LiSoyrBL+k2rkDkZFN4r1e8auSEYd hwUeU+MdstvwxhkqCj697PAOopjMEj+1NWnwsCeFV6Ksn4X8Nw4rIKMfJ3MrGEip BJjp7mTdZhBZXZaI0A0FVykPhIFwyPk66AqeWkH7NNjKwlCNGR3c6044ekdQyGyQ 2GF/Lfw8z40+g8kfgeRx7c0k1xwrL/FOIZLfM19ZHz/GAT4CEzEcvOOarhHAmhqu 5qFxPz1cB8MTStZlkEad =0+NS -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Configuring the reverse proxy to support large keys - HTTP error 413
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I've received reports that uploading some (large) keys to some of the keyservers in the pool (my test shows failure on 30 servers after trying to run against 115: These are listed in [A]) results in a gpgkeys: HTTP post error 22: The requested URL returned error: 413 Request Entity Too Large In this case the Content-Length is 1377406, seemingly exceeding the default nginx configuration. The fix for nginx is to set client_max_body_size 2m; (or larger) in the http context of nginx.conf. I have not yet implemented an automated check for this in the pool (and a bit unsure how I'd do it without actually sending large amount of data to the server during the check, something I generally want to avoid), but might run a semi-manual / scripted check and add affected servers to the blacklist if the issue persists after some time. gpg2 --send-key DE7AAF6E94C09C7F can be used to test. Please consider re-configuring the servers accordingly. [A] non-exhaustive list of servers affected sks.spodhuis.org zimmermann.mayfirst.org vm-keyserver.spline.inf.fu-berlin.de keyserver.mesh.deuxpi.ca sks.fidocon.de keys.exosphere.de keys.sflc.info pgpkeys.mallos.nl keyserver.uz.sns.it openpgp.andrew.kvalhe.im pgp.gmu.edu keyserver.compbiol.bio.tu-darmstadt.de keys2.alderwick.co.uk keys.alderwick.co.uk keyserver.advmapper.com sks.undergrid.net keys.jhcloos.com sks.alpha-labs.net pgpkey.org keys.indymedia.org pgp.freiwuppertal.de keyserver.linuxpro.nl keyserver.secure-u.de sks.stsisp.ro key.ip6.li keys-01.licoho.de key.adeti.org keys-02.licoho.de keyserver.durcheinandertal.ch keyserver.blupill.com - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Varitatio delectat Change pleases -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTXoEGAAoJEPw7F94F4Tagyc0P/jKRdmXTAajPGdIDemTl0Nhi tCkghQqiwyIyVp0NVSBpE8Ohw8gRN4RiyFkR8T6bMz6Iu3bIEGwgwiYFZvn2dTNr WjucyQJ+Rf3WfQ0Nt0Zuv0hM8Ntm6S3zI5/Lyxd4QmczFPkPLcHI/XRR05bVYFid SdWxUqmQ6v7Mxs0h+pjZi9F11H0KYRra8H610iDdjg8mMdPgnQkUJxoGZ1y00Wsy nAA9UN3ygLzVNwhBkbj90H2VRNgZt3TOiQmXhH7D6qQW4dhVzW8B4EHmjj16fiaY 3mJTErAnzvN3wgizXD3GhZ2uo4h9IGjKFR8i2sGTZQTQP4/yl0AhTwqsOLQ6c82f lfBEvWmXi8OP26cK6INT88sBQOu3CK8cMFVMhDHgu9iTd8fvccwOwNB9iRXwpH8U AFq+NU8qpE19HispdEu0sAZLNuK+HKdwEXxyHvu1Bi/OCC1GMGUnApWYQMNhwK2x NwhCEVwyehzyOa0cJQiKmAMc8PUpXcPsMQO4Oz/XeNXRdAbdCGOJmBP2/VKnT7JY eHTHpECb737P7qhBi6o1dfeGxSf4AhioqoOcxd3dvY/DaU3pPUbV4b2skRtTT5Ux ajcTQHd5ZqtBonbISkX9IKXE+Bt84fzRabT9aT3S7Wb6BtGZq7iTSfcWLB8fOYpg JPYLKIVO3p0i6lh4pMZl =00Kr -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Configuring the reverse proxy to support large keys - HTTP error 413
On Apr 28, 2014 7:36 PM, "Jeremy T. Bouse" wrote: > > I don't know about the others on the list but my configuration follows > the recommendations from > https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering which has > never stated anything about this issue as long as I've been following > it. Do we need to make changes to the documentation that's already out > there? Yes, we should once we determine an answer to your next question > > As to the key you selected to test with it's no surprising it's a large > upload given that it's weasel's old 1024D Debian key with over 3K > signatures and one of the strong set keys as he stays high in the WoT. Yup, Peter was the original source for investigating this issue > His new 4096R key (62AF4031C82E0039) already have over 1K signatures on > it. In that case where do we set a sane upper bound as it will only > continue to grow on keys that make it into the strong set with thousands > of signatures? This is indeed THE question, and the answer will potentially vary over time. Atm it needs to be at least 2MiB but an optimal size will require more analysis. > > On 04/28/2014 12:25 PM, Kristian Fiskerstrand wrote: > > I've received reports that uploading some (large) keys to some of the > > keyservers in the pool (my test shows failure on 30 servers after > > trying to run against 115: These are listed in [A]) results in a > > gpgkeys: HTTP post error 22: The requested URL returned error: 413 > > Request Entity Too Large > > > > In this case the Content-Length is 1377406, seemingly exceeding the > > default nginx configuration. The fix for nginx is to set > > client_max_body_size 2m; (or larger) in the http context of nginx.conf. > > > > I have not yet implemented an automated check for this in the pool > > (and a bit unsure how I'd do it without actually sending large amount > > of data to the server during the check, something I generally want to > > avoid), but might run a semi-manual / scripted check and add affected > > servers to the blacklist if the issue persists after some time. > > > > gpg2 --send-key DE7AAF6E94C09C7F can be used to test. > > > > Please consider re-configuring the servers accordingly. > > > > [A] non-exhaustive list of servers affected > > sks.spodhuis.org > > zimmermann.mayfirst.org > > vm-keyserver.spline.inf.fu-berlin.de > > keyserver.mesh.deuxpi.ca > > sks.fidocon.de > > keys.exosphere.de > > keys.sflc.info > > pgpkeys.mallos.nl > > keyserver.uz.sns.it > > openpgp.andrew.kvalhe.im > > pgp.gmu.edu > > keyserver.compbiol.bio.tu-darmstadt.de > > keys2.alderwick.co.uk > > keys.alderwick.co.uk > > keyserver.advmapper.com > > sks.undergrid.net > > keys.jhcloos.com > > sks.alpha-labs.net > > pgpkey.org > > keys.indymedia.org > > pgp.freiwuppertal.de > > keyserver.linuxpro.nl > > keyserver.secure-u.de > > sks.stsisp.ro > > key.ip6.li > > keys-01.licoho.de > > key.adeti.org > > keys-02.licoho.de > > keyserver.durcheinandertal.ch > > keyserver.blupill.com > > > > > > > > ___ > > Sks-devel mailing list > > Sks-devel@nongnu.org > > https://lists.nongnu.org/mailman/listinfo/sks-devel > > > > > > ___ > Sks-devel mailing list > Sks-devel@nongnu.org > https://lists.nongnu.org/mailman/listinfo/sks-devel > ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 04/30/2014 03:16 AM, Christoph Anton Mitterer wrote: > On Tue, 2014-04-29 at 12:52 +0200, Kiss Gabor (Bitman) wrote: >> a.keyserver.pki.scientia.net Aug 4 15:32:48 2013 GMT > Well I've wrote Kristian an email with an new CSR some week or so > ago,... but no reply yet... or have I overseen something? > ... no, but I have... thanks for the heads up, a new cert should be in the mail.. - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Ne nuntium necare Don't kill the messenger -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTYLD0AAoJEPw7F94F4Tag2MIP/2Wrco/0C9xki1KrKML9a2Pl lXGaK5ASZSXY8W6t8FCEsjyLr1LnnknpzwRA0e2ZTI9hec3IkS4f0H3G+J+oTblr xYi+2nn4oe+XvtaLEutrZD34FdzZQX/KGBZFBYl7Cq7aAQOApYq4t+sU3fQEtSBh sobsPqRVJ476rKbEi0g6JB+YCx2gY4MQpj56OSEJhBZG3fMpeHhbEptsWm87Fl1w X8HAOL4SoqL32DPEytAKyL4kD9/b04siRRV0b/K4Wj45oJB2Qje9nuEvRG1+6kpy U9xXbDp9cC/zJKPZa8adFbKr3yhPJKCZWG8og8II7+QsEH5zEp+unIESeJda+UZf cm2GMz5m7il/4sbtNUPuezS3ttJjTh4vDTjcFvl6cZ/ZfUV21XUc8zXhJyj1QKGA 5a8njjafewADSvXTopDj2Flho0FzGi5Gl3i/WEIfc2oJZZYYlsdW4bHRxZeiw87d 64XCOdGskQtoFo8v4u/lbojtuqzzWgkQAtcxEPRZpQQ39HQpIOXqo6MQekLySrUL idWexs07Oav5LloIlg0xflaU7zbNrLE3ssQgE16FkeeGOCCQhVrC1gEaNRcmawlG RIgkHzPY9Pyc8PbeS7Ws1taE+6aVzC5WfTXx9PL4NCaBZllrOFqAVN8ERAOognqZ 3ST3XJULV36rxlUVSSb1 =LR6o -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Fwd: CVE request: SKS non-persistent XSS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear list, FYI a request has been sent to oss-sec for a CVE assignment on the XSS issue listed below. - Original Message Subject: CVE request: SKS non-persistent XSS Date: Thu, 01 May 2014 22:58:04 +0200 From: Kristian Fiskerstrand To: oss-secur...@lists.openwall.com Hi, A non-persistent client-side cross-site scripting attack was reported against SKS[0] resulting from improper input sanitation before writing to a client. The issue has been fixed in the development trunk[1] for inclusion in an upcoming 1.1.5 release. Initial report and findings: https://bugzilla.mozilla.org/show_bug.cgi?id=952077 by Haris (white...@hotmail.rs) References: [0] https://bitbucket.org/skskeyserver/sks-keyserver/issue/26/unfiltered-xss [1] https://bitbucket.org/skskeyserver/sks-keyserver/pull-request/30/issue26-fix-a-non-persistent-cross-site - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Aurum est Potestas Gold is power -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTY4MNAAoJEPw7F94F4TagKgQQAKX4kcLSvRQjzy6xD04xha4k 3yKbxhZ06dsLkOZRy3nhXNTdYqIhHVnhSUdXBt/cbiffZBVEgUxBUMY9r8FWuSnr QmUugD6U46f/XJpY2t1rUCK7qabnUk9+AHG4y0Wj7by/Y7JmTOC9KsRG+Uq3UP3A +O/F5IuiyKkCWz0Td82y0sgICuspZ9CfZvaPk/lWnODZmPzV6XZGkFw73T0IwOql uwXCvop76o63H+h46UJCOv6ed5/Xyv+hjv2+XSDSHSJZ4FoDoQvgxjor2d2iOu8E jsOnpTQmzsoa/txFifJ9l6144pBiU5Uw2rKM4njFzo6JCR+uhRQh9zTZDLtgpXJo X07sI3/GhX2i61zx6I+1I/9yT3D9a47E1cWpIJt33jH0VGhUwkgmAUY11wX2nS18 VCgpBY5ee2H+9yaaggdcNk2NkR88dUwIKA/WJqLNKWYyvB6bWG3eu73LR2lF/68U MSksvujuv1JtHOlu6tWYYMMjKOZ+OAMcZnCXULer8/GiwyRrwwD9Tr5xsbZA/lQ/ R1UXGMCfHIp1HLyvqwvnqO++GH5zgoFKeIyZ+dVUuLNlRyRIPGMRljE612vaHQ5r 94fIam5QXgv1VKj+jTE1d+uaOYXDie/cdcD87IVplBr80wDGcdAehjKwPjOfc9w3 OxsBZ8CxmwfCfqv1n4Ys =m/rt -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Fwd: CVE request: SKS non-persistent XSS
Plerror is local logging and not passed to a web client On May 2, 2014 11:48 PM, "Daniel Kahn Gillmor" wrote: > On 05/02/2014 07:35 AM, Kristian Fiskerstrand wrote: > > > A non-persistent client-side cross-site scripting attack was reported > > against SKS[0] resulting from improper input sanitation before writing > > to a client. The issue has been fixed in the development trunk[1] for > > inclusion in an upcoming 1.1.5 release. > > Thanks for sorting this out, Kristian. > > I'm looking at your patch > 378:88d453cdc858, and i note that it wraps s in HtmlTemplates.html_quote > in wserver.ml in many places, mostly where ~body: is being set, but also > in some cases where s shows up as an argument to plerror (e.g. in > Bad_request). > > However, there are other invocations of plerror in the same section > where s doesn't get html_quote'ed (e.g. in Page_not_found). > > I don't see where plerror is defined, actually, other than the interface > declared in common.mli, so i'm not sure whether plerror needs escaping > or not. > > But it seems like they should either all be escaped or none. Is there a > reason to do some and not others? > > --dkg > > ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Fwd: CVE request: SKS non-persistent XSS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/03/2014 12:29 AM, Daniel Kahn Gillmor wrote: > On 05/02/2014 06:24 PM, Kristian Fiskerstrand wrote: >> Plerror is local logging and not passed to a web client > > In that case, why use html_quote s for the arguments to plerror > when handling Bad_request ? > > Thanks for such a quick response, You are correct, I've reviewed the aforementioned commit and the change re plerror in line 370 isn't strictly necessary, however, it won't do any harm either :) - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - "The power of accurate observation is commonly called cynicism by those who have not got it." George Bernard Shaw -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTZQPkAAoJEPw7F94F4TagSHIP/1adeGPdyttwuz2VHPpkV2zB GvZzCqgnY6hML69eNTSin7klexUCyVAL0iCrLZUFQIpncbrqerzxI1XfBVujLsgt GcvcrLs/0UQ7L4s4giM/k5TJ7BJe0I4sHq1iAWONOZlnYk1cSWw188mm3pK4scGx oEnQGkbF/xxU1hUoRSB8xfC7wphQmLzWKM/ajI/86RzOmNmqCJncMRBQuW3zlPLD rGPZUpM/S0R4/BMqZilpkTk9uneBcnCL/lJUoBAWBSHaFC5WXQvymAHIvNK6ZGWF 66MEGcWAMSRHLs84IZC5k76+2Bqy4TbdA3ZWQnoci3c0Gdd4OXDhSHN8WcceDia+ OlZzLniYCDK1d4D1mbQyYA+GzXFOd8R6tT2kKnhfAiaBJZtsSpnS/zjPVn991eYc 5mifvV6nIgSWUOjCyXWi/C/KAvbkITrVxhjk/+NbwENq3LHPprcHXVbHNwfZCHqg XgjE3u/xIzW+Pd0dRhXtC/B9aR3CDRLyArpsKQxXuXl8vipgdbNkMkM+njgnWfWS VbzIUZPl8b1Ekjbh8meu5yCQJhcxQAndamLB3bRLS5ChqjviIaP1e/HN7cHSFqTM JWUW45FA4XMfj6mAq0T24krVvfIzrQoEeEg0cJKFr/r7tKH4uskuF0CePvlvZ03q UQDIim2Of5lWaZxuGdlf =ptMd -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] [Announcement] SKS 1.1.5 Released
ng list, submitting patches, or opening issues for items that needed our attention. Happy Hacking, The SKS Team (Yaron, John, Kristian, Phil, and the other contributors) - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - "Excellence is not a singular act but a habit. You are what you do repeatedly."| (Shaquille O'Neal) -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTaAaeAAoJEPw7F94F4Tag0MEP/Aqc6K+39KDp8JUC+sQK8HPA 1890fKF4MccqHBhMmfNSqIZmsY82qIEjrX2KMjn52nAnbCf8DN9rJEcM/3mpbJpG uB52x73vfQRGyYB/AYbvZF/T3Xliv5VU69zvvIrGU1l8CS1o74C5wQsMdz8HGJnj Ec5ES/9udnZV70Zx2D3SX7V6LNfTRtCRL6Rq1xbsnHi+VIHvSAqA+SspUNlyCCCj QK8HG8aehgrx9hllzJbofVKRYyPtAoWuNped23qbHAvhZcdmLG8cfLez2PEigSFn ZfJPD/AeXTpWo42KGz5FTSA3VS7kpERXxiF/8wEdrtgdyMKnbvmIVEWe4/vCsaKS 31LflE3j7Dwtt2yCwWd6J+G/k5dD4JX9qp1ZPmmNTbwqclfZt+mxoBDFl0zkHjeA vNZAT8iAQJeVe/MUzsVbAJihkwBrSttGmGRtG2tFsWorCkKvUdnQT0IsztkmyYUO ObdwPeZRR/LNm8xgBjRB2fW/gzWAIB6uEjpp9jfZmCiKBv9Wgk7l5mtTghP21Oa7 UoArnIdOvdWOzw6uL5MkrEAReD2kqD6sesxUer2I7nqBQqUwpASjD2HSp6rE7Ndy chIT1RAD2gvQlm8gYKnvZ+Z/WRk7okZeMSKpjSYfXX8yKRXjHS/y7M2r36w6+n8V OcBDyGo60Q/GOXM+Ev2v =CnUB -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] [Announcement] SKS 1.1.5 Released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/06/2014 08:21 AM, Dmitry Yu Okunev (pks.mephi.ru) wrote: > Hello. > > On 05/06/2014 01:46 AM, Kristian Fiskerstrand wrote: >> Hello, >> >> We are pleased to announce the availability of a new stable SKS >> release: Version 1.1.5. > > I've compiled the new version for Debian. But: > > # gdb --args sks recon GNU gdb (GDB) 7.6.2 (Debian 7.6.2-1) > Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: > GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This > is free software: you are free to change and redistribute it. There > is NO WARRANTY, to the extent permitted by law. Type "show > copying" and "show warranty" for details. This GDB was configured > as "x86_64-linux-gnu". For bug reporting instructions, please see: > <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from > /usr/bin/sks...(no debugging symbols found)...done. (gdb) r > Starting program: /usr/bin/sks recon warning: Could not load shared > library symbols for linux-vdso.so.1. Do you need "set > solib-search-path" or "set sysroot"? [Thread debugging using > libthread_db enabled] Using host libthread_db library > "/lib/x86_64-linux-gnu/libthread_db.so.1". 2014-05-06 10:19:24 > Failed to listen on :::11370: Unix error: Address family not > supported by protocol - socket() Which ocaml version are you using? Note the requirement ocaml-3.11.0 or later (ocaml-3.12.x is recommended) (earlier versions also compiled with 3.10.2) > Unknown timeout type argument to DB_ENV->rep_set_timeout > DB_ENV->failchk: method not permitted before handle's open method Have you changed BDB versions? What does your Makefile.local say? - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Nomina stultorum scribuntur ubique locorum Fools have the habit of writing their names everywhere -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTaI+KAAoJEPw7F94F4Tagb/QP/itg1uwQ4HxprYz1Yiq8WcBh Owb+1s4NqNuhhoSvXFzrQGIUYuVcS4FTCaL7Is8otzrWXyhDxAxj/uYab+5Emofl 47qwLkWURl8dPO9vvad3OmlhsV5Gpk634HyUzTEVC18Z/Q82Y8ySErk42J+psHZN So4eZg849ltn8TJ4F9ag7veR/k/JBeW5tFkegxhiprc6TvUmZ9uQ+JScsTjAjUrK XF/nZpz3BaSycb6ee2jSaQVwMTfNGUhcJAcJlF7nQNA9GeM7Vi1dYlQOTeAjs9LA HMWzYHu8aWEuTpNqdS+PHEdJDq/+L74HrcOerWeB4ioOXFmGEwMjgNg1/kCAdPmx 7LRgdw10YQVdRqyegd5i2+Tw+y/Mq3eFP1duJUxsnR37GHeWxRszghrSLenGwO5g yarUYHG78LBnQryBpUTHbCDUw8se06oPXBDq5tipNdU/ri5vqR6rAxn134QR3dL6 QpDLt7vpf21FIQziKOqEdafRjxnpDye8Z8rMEfMWF7RUKPRc6AyCiO5p3KA7WRJo cOc6FrSXYxPaADcPopPliKVOSlIty7Go9IPq/pTWSaLYGDADADperVKsMawPoiHI 4yXD7iXaTgq77mlMntVWwufxKuIWMbBbcFhjWkCHS4GH5eybXKRFTrdQKShuurm9 25f8eZuVDQNu+1Fx8Yux =BAUZ -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] [Announcement] SKS 1.1.5 Released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/06/2014 09:45 AM, Dmitry Yu Okunev (pks.mephi.ru) wrote: > On 05/06/2014 11:30 AM, Kristian Fiskerstrand wrote: >> On 05/06/2014 08:21 AM, Dmitry Yu Okunev (pks.mephi.ru) wrote: >>> On 05/06/2014 01:46 AM, Kristian Fiskerstrand wrote: >>>> We are pleased to announce the availability of a new stable >>>> SKS release: Version 1.1.5. >> >>> I've compiled the new version for Debian. But: >> >>> # gdb --args sks recon GNU gdb (GDB) 7.6.2 (Debian 7.6.2-1) >>> Copyright (C) 2013 Free Software Foundation, Inc. License >>> GPLv3+: GNU GPL version 3 or later >>> <http://gnu.org/licenses/gpl.html> This is free software: you >>> are free to change and redistribute it. There is NO WARRANTY, >>> to the extent permitted by law. Type "show copying" and "show >>> warranty" for details. This GDB was configured as >>> "x86_64-linux-gnu". For bug reporting instructions, please see: >>> <http://www.gnu.org/software/gdb/bugs/>... Reading symbols >>> from /usr/bin/sks...(no debugging symbols found)...done. (gdb) >>> r Starting program: /usr/bin/sks recon warning: Could not load >>> shared library symbols for linux-vdso.so.1. Do you need "set >>> solib-search-path" or "set sysroot"? [Thread debugging using >>> libthread_db enabled] Using host libthread_db library >>> "/lib/x86_64-linux-gnu/libthread_db.so.1". 2014-05-06 10:19:24 >>> Failed to listen on :::11370: Unix error: Address family not >>> supported by protocol - socket() >> >> Which ocaml version are you using? Note the requirement >> ocaml-3.11.0 or later (ocaml-3.12.x is recommended) (earlier >> versions also compiled with 3.10.2) > > $ dpkg -l ocaml | tail -1 ii ocaml 3.12.1-4 amd64 ML language > implementation with a class-based object system I'll have to look into this a bit more. Do you notice the same if specifying an explicit IPv4 address for recon_address and hkp_address? > >>> Unknown timeout type argument to DB_ENV->rep_set_timeout >>> DB_ENV->failchk: method not permitted before handle's open >>> method >> >> Have you changed BDB versions? > > In Makefile.local? — Yes. Was 4.6, now 4.7. Try running the upgrade proceedure descripbed in https://bitbucket.org/skskeyserver/sks-keyserver/src/8f41c42b1f004f77f8212182aba197f0d6b2f6c7/UPGRADING?at=default , most notably removing the current environment of the KDB and PTree. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Docendo discimus We learn by teaching -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTaJOaAAoJEPw7F94F4TagvjAQAIYEjJLg+wcaonAe49omU2Wb +lAzAXAGIr9hhg9fSwPu8PojSjy8gG0SmDDewTQ1G6uwax/oI8q4iSMmtXW8JFy3 qQbZgLMzNvsszWhq9Ms7tYSJf9K7rX849Po5X9dyf7RNCrojR8rrp7uDAcCvjjU8 QF3gDd8k1yKBlc5SJXqKBMPsSACWz3TvkoAmZnB8luF10PhAspHRp+D7ux2PvvUi cQzRDT0kkKq4rFh9g2n2rPXRcmM7i+G6LEgjAAIXhRxnbS1hiTxb/wc9bCRVB5CB Thb7dL3w8KF3Mq4Mq3wCqC7BjIXatd7bmkUs0evNfJXAH6y7H0qPK4B1PCFFf629 hjBtAZxteuuKjAqMxSGw+DVcRT90b06R7yx1jyOXtPYiWQMzJ1r6gTX6aFG075Xk LyvkafugnLMtc9/ywwfHR6Hv8nDk+CXnN6JprnI1Lhtub2/TzDGFtB88LWZwf5Xu Mz5bKtf/ljN0X4SF9lhLDlKittA2qxx4/Y/E0lVhKiyTXIxUToFjb2MnfEvkexp2 FuILG+GBThf6D8ZAAi7G0EvwP/lUBOH+AwyBSl2G1R6/0fYzOt1j5xIRBf5KPhE5 FrR9zvgIPfobAB8QDTAhFvjapqS3e8NicmWA9owCpcNAs5gVZajKfZ8BEZrSRQrT 6/60augYiXVB5BBbKP6V =SPVR -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Changes to sks-keyservers.net pools
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear lists, Following the release of SKS 1.1.5[0] the following changes will be made to the pools of sks-keyservers.net subset.pool.sks-keyservers.net has been set to a minimum requirement of SKS 1.1.5 with immediate effect. Due to CVE-2014-3207[1] I want to bump hkps.pool.sks-keyservers.net to a requirement of 1.1.5 as this can potentially be in another security context / zone, however I'm giving this a grace period of (at least) 45-60 days to allow server administrators to upgrade their servers. I'm not making any changes to the main pool at this point. References: [0] http://lists.nongnu.org/archive/html/sks-devel/2014-05/msg00026.html [1] http://www.openwall.com/lists/oss-security/2014/05/01/16 - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - "Statistics are like a bikini. What they reveal is suggestive, but what they conceal is vital." (Aaron Levenstein) -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTaKaIAAoJEPw7F94F4Tags08P/RQLNnrKbAWZGAj6clPjEPd9 Re88zQZyoZIxvMCxzY8szanpM0qCjO9Qet/CJnEuhAYYuGLQb4BhtU8Ps4/FXQ/F Gns/8x2urA2Suw1wDjoo47AWsfx4W6AJh9Nr6ESZB42wk7pZfjHihDjAGEXIOrsc 9R5BJggH0HY1/GNUrlLLPNQvaJGWE2weGdI8b9+uR219HnjgBB+K2XK4z8G8QRqB OC7/nPkyYNGivI+K4lIqtDSwILXQkFsOPmsg0N6a0tLpJOFzLSvzksEKPyOsJCHo 9dQttBXPGj+GIhdeexs7WNPeYOwzbVEsu5Lrsbb+oEcQ/wik8awQo3Zizz3ArkOs N2CnIf2Zob2tRsycVVDs24QpwmS2zJKbt7Ziy1lyTLWZYq330fC0BlyQ1V/+1SRc oWi2WUBLBW41W1ZjXHcNeUCo8A+XOre1uU2jYY/r2w2tANs1LIobdNNc2+iPb7uD MhSugCuRA5oDu8KcXlEOIMinciPj+X6iRtZKFqiemmOkczjOBuii+F3Ae3p6YJM3 68wFn9ya8+ZPDC12zU+hcOrhiKS7JjW4crodb7BW/WxqWsSywL6JHeIwSSCEhURz 5fWj37X/GnOl5yO38r9WrE90yM+3KToHgZ44vubfkmfVwAanhMF3TMhQu3yTXZiT Zz+xYWS5YoI9TeFG6c+f =hzHF -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Dirmngr now supports hkps
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/07/2014 05:04 PM, Werner Koch wrote: > On Tue, 6 May 2014 19:45, > kristian.fiskerstr...@sumptuouscapital.com said: > >> 8412a5825c225c8ff14de3ffaad2e55e040b2eca `make -j4` fails on my >> computer with ERROR described below. As of > > Fixed. > >> Also, if using --program-prefix='gpg2.1-' gpg fails to locate >> the dirmngr, > > Better use --prefix or --exec-prefix to put that version into a > different directory. To allow for an arbitrary prefix we need to > tell this common/homedir.c:gnupg_module_name. There is an option > to install gpg2 as gpg but for the other tools you would need to > tell configure the full file name of the tools Thanks for the pointer > (e.g. --with-agent-pgm=/usr/local/bin/gpg2.1-gpg-agent) which is > not that nice. You may want to file a bug so that we do not forget > about this missing feature. I'll play around with my live ebuild a bit and see if I get around to filing a bug once I get more familiar with the aforementioned options. > >> Out of curiosity (as I haven't had time to look deeply enough >> into the source code yet), how does dirmngr handle SNI in the >> case of the hkps pool being resolved to multiple client? Does it >> still present itself as SNI=hkps.pool.sks-keyservers.net when >> contacting individual > > We uses the name of the actual server. Basically we do this: > > if (!getaddrinfo (name, NULL, &hints, &aibuf)) for (ai = aibuf; ai; > ai = ai->ai_next) getnameinfo (ai, tmphost, sizeof tmphost) > > and then use TMPHOST to connect the host TMPHOST is the also given > as SNI. If the server can't be resolved this is likely a problem > because the code will use the IP address as server name. The HTTP > code does not know about the pools, it takes an URL and applies > proxy settings and resolves SRV records. Ok, this seems to be a problem, I'll try to explain why I think so. Certificates issued by the pool have (i) a CN with the server name, which corresponds to the hostname provided in the server's sksconf or similar and presented using /pks/lookup?op=stats and (ii) a subjectAltName of the pool addresses including hkps. Only IP addresses are provided for DNS request to the pools, as SRV records are currently disabled due to existing bugs 1446[0] and 1447[1]. Based on your description of the current dirmngr behaviour I foresee (at least) a few problems. (i) as tmphost is derived from getnameinfo, the PTR record will be used. A concrete example would be sks.karotte.org that resolve to 176.9.51.79 which has a PTR of alita.karotte.org. However no keyserver is configured on [2] as the expected host is [3]. So trying to grab a key will fail. (ii) iff we require the PTR to match the hostname of the keyservers in order to try to allow this behavior (keeping in mind that will limit some server administrator's possibility to participate in the pool as they might not be in control of the PTR records, or the sks service is on a similar IP with other services that are prioritized), we'd still have an issue in the situation where using the CN directly the server might be presenting a self-signed / corporate signed certificate for SNI == CN. In this case we will have a server authentication error (iii) If the server upon SNI == CN || is presenting a certificate signed by the CA Roots, we might nor might not get a valid authentication of the server, depending on whether the global root CA store on a calling client is consulted. I strongly suggest using the original hostname provided as SNI when performing keyserver lookups, this is also consistent with current behavior (some of these points are also valid for any virtual-hosting setup for the reverse proxy servers. It will most likely be more of an issue on the port 80 subpool than the main pool as we strongly encourage administrators to allow all traffic on 11371 through to the keyserver). References: [0] http://bugs.g10code.com/gnupg/issue1446 [1] http://bugs.g10code.com/gnupg/issue1447 [2] https://alita.karotte.org/pks/lookup?op=stats [3] https://sks.karotte.org/pks/lookup?op=stats - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Corruptissima re publica plurimæ leges The greater the degeneration of the republic, the more of its laws -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTalyUAAoJEPw7F94F4TagJYcP/3KHZb4ybmOM4DDWus6y8qtZ 380SXFeiAyx6IkVecRggpU7kNwToV9ctzV1XaOlwR5aSlxjiVtRPa1wwYIuYGjm4 drqmMyGui6PPaI/bFXqqINfxQF9QQdAIEIqHb7f2Dey1I7z0KgepR5cfdcWQNMJF xMg7nOvr4xReFsqMnv9ta6hguS+MsJwWFcbWT5sSEGyRVv1wHCc
Re: [Sks-devel] Changes to sks-keyservers.net pools
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/06/2014 11:22 PM, Phil Pennock wrote: > On 2014-05-06 at 17:53 +0200, Dinko Korunic wrote: >> IMO delisting is fine as long as there is proper communication >> involved and people actually are aware that's going on -- I'm >> sure that not all the SKS administrators read the sks-devel on a >> daily/weekly basis. > > For clarity, this becomes: there's a chance that for a window of a > couple of weeks, the only SKS administrators who will be in the > rarely-used "subset" pool will be those who read SKS email daily. > > There's a chance that Kristian's main pool will become a set of > servers run only by administrators who check their email at least > every 45 days. This being the pool of keyservers which are the > default for a number of mainstream clients. Just to further clarify, as stated originally I don't expect to be making any change to the main pool at this time, so it would actually only affect the hkps pool that is expected to be (more) secure due to its TLS-nature. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - "I have always wished that my computer would be as easy to use as my telephone. My wish has come true -- I no longer know how to use my telephone" (Bjarne Stroustrup, April 1999) -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTamIhAAoJEPw7F94F4TagNxcQALCxRNzTUXFfdrX4+AlEcnX4 ZdImk2DHBr6UACBLQeC9M8FOIpMvr1YoNkioD7xBjIvpMiqGtXj5iZHMSaR9OUNn D0NqbZnFTwWyYmelWqC0I08iePqQubKwfVgI+HB6vVoi2gTqukVOpa4mpfkYhQ8h kmM9pM+vwDDGfBGwy+MvSMnEU/sFBHsQBHfaMAvdhBD+e/qUc6xR0WR9nKbg7+B5 IL4UbyFq2+lusaXaBgMLJOfxv7UFE6Qq8fYv78Bc4L+yTwUXKrm5zwOvtUC9+ro+ s7otyo1AwLAqtreIPkmPhwpMd6knJHeecCd4SXZ5686nRe8JVFRcAIdITCb/rMdz 7esI6wwnBX32cfjXIRkSuyWtR7pyXVmA9+/WBQnrIqsUwABWBECOq4IC2JqqozmD R8/r31LsuSGJILn13bhXxEiuoRLZbwkKuZpQ2aiAtxoG/HQqHmfSWJpMVoHrdZa1 ORF5nI/bFW8QeQ+w1Z0E2uK4ff+WWXPKxJA9Tt9XBWVPsIcf8jEHPUEWQrDU/UDL DpvRtnM76Wu30cYz9D3+O7VZjRj0+JoFkzjgff2uTqRHduOZ1vZ7GzkR1LpN70QS rAwQ2rYVaDgJcLCLNOIgfSRA6E1U7SqXbXvafTuDDuYPbu+qdbp+mx9J2GaV20R7 pbNxxHLA9AijuO9qo02u =vJ/F -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Dirmngr now supports hkps
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/07/2014 08:51 PM, Werner Koch wrote: > On Wed, 7 May 2014 18:17, > kristian.fiskerstr...@sumptuouscapital.com said: > > >> I strongly suggest using the original hostname provided as SNI >> when performing keyserver lookups, this is also consistent with >> current > > Okay. What about a dirmngr options to enable or disable the use of > the pool name? As long as the hostname provided by the client is used by default for (i) HTTP Host: and; (ii) in the context of TLS for SNI (c.f. arguments similar to those presented in issue1447[0]) I don't have any arguments against a tunable option to change the behavior. References: [0] http://bugs.g10code.com/gnupg/issue1447 - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Prævenire melius est quam præveniri It is better to precede than to be preceded -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTapVVAAoJEPw7F94F4Tagkq4P/RdB/WuL8ZmH88fBzlHuFH5w T+7VDW507u2j16zDaY9gpQjkl+05HxFLvIw83QXdISqkGvyKp/PlBZdd4lDZtFja IxgoM9CHH8DhemUi3ws4KhYlMq8gnCOGCVAP13VzmOEZOq6mcb7KU6Meg7I2rBHk GzHmdw/tZzvdPOiUFrQ77wuDNJrx2rjVkdR96RZNgGQvHyPm/ldvGnsfz3xsmJYK YU1oa+6YL6rIfnDFGAwsOmdKLR0bszXVrT/LtuZfj3apjKNkYpecmI02avic2uq6 JJ8nOLRHFQp+m76+0ITuoI7oW62VXhuLrvL2D1/Eg8zXK40k0Xss63XhyQeKOVRX jaMwEt75bJ4zNBpD1cpsrh4gN9bgAFwoAxgcrYDcj4wfMzUytgNmvnSqEdr4eaSS +++ruyPZGHH+utFZvzLgulwdYoisJ+SAryd2Yf7BiwVfWumGxjEBycka0nxwXa2n Bc2X37ugzcJvF/mt9xgFT6ce6dKdq4F5HR85xfOZMaO51Rg0e/aDWNspdOkY/3zE 0uhhPpn7mU2tSLVLsQ3M8qAOs3ffVgZug3LCtY59caspYOX8jKjeqCwFEsLIXynl w6Yf0hugY8xvII2QUBVn2+ePB80+0w2eyyyTpHATAOi9QcC+wjsoEd8zLdXNt1U9 IvI0LwkK1p/9KO34wFXP =VYYE -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Changes to sks-keyservers.net pools
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/06/2014 02:55 PM, Jeremy T. Bouse wrote: > On 05/06/2014 05:08 AM, Kristian Fiskerstrand wrote: >> Dear lists, >> >> Following the release of SKS 1.1.5[0] the following changes will >> be made to the pools of sks-keyservers.net >> >> subset.pool.sks-keyservers.net has been set to a minimum >> requirement of SKS 1.1.5 with immediate effect. >> >> Due to CVE-2014-3207[1] I want to bump >> hkps.pool.sks-keyservers.net to a requirement of 1.1.5 as this >> can potentially be in another security context / zone, however >> I'm giving this a grace period of (at least) 45-60 days to allow >> server administrators to upgrade their servers. In recognition of package-maintainers backporting the security fixes to older versions of SKS for stable systems I'm revising the latter statement a bit. I have now implemented a test for affected servers instead of relying on the version information. This is currently active, and non-patched servers in the HKPS pool should now show up with an orange flag for the HKPS column. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Nomina stultorum scribuntur ubique locorum Fools have the habit of writing their names everywhere -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTb+DmAAoJEPw7F94F4TagQXsQAJi/479jLOtlKsihAohC5XcR RQoA6UDhcinCKvIGg5zzMcGd6aY9z2O+yDrGj5AX3k6j5ijEf0uU6Ia+tEj8OeVF j7VpDwdjtT3r78cipRLcvKEPBSHRTtSJ8qQQW7fLG56u8GiRu6ycR+fG/Q1w8o3A wJgvnCjLXnUWDuSLHN31uUQzyoYtACb06oUIGBpZ/gMMImiRSphBsNO7duxH+D3z oqLxgzO/YEj3iyLy6QmE/csC22Ty1dB+ppfC7dTU5LjKbxI0Z8qLw1+/SPWRgPG6 xMgerJLkYPVq99JtRFP7I58o3fEIWJaNAP/1rRgycIzwElDdOezh/VZwVpmLtTXq ha2TefFm2D6h8rdCId5gVbGkpy8GN7FnN5DUqJ3GmdMuev22vzCSpWA7S5B9Xcyk RAFiHvDag0RJC63SMyefOucoOk50wDdJ06pUByMQx5x4j5uCb6XEwozk1jST9uP2 MgWYXaaAv6ftt8Jk8C67f13Uvdbhap2V6pePuDGocLXrTDJr/R9afNEYW6UmaXiN BeRO3OsU55lO5GRUIutf6+RY3Q83EAKa7zO78HEkedebjAJxTEZ5EwxBj+toFwxs IQTre3Ec5y2UY8jlFdLmsTCuT5P8YnQqMjhiWLvrSsgtEno4jt9TbfCxpIfNzlIP 0jpO1kt1GcRn1Z6JUzH5 =TKch -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Changes to sks-keyservers.net pools
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/11/2014 10:43 PM, Kristian Fiskerstrand wrote: > On 05/06/2014 02:55 PM, Jeremy T. Bouse wrote: >> On 05/06/2014 05:08 AM, Kristian Fiskerstrand wrote: >>> Dear lists, >>> >>> Following the release of SKS 1.1.5[0] the following changes >>> will be made to the pools of sks-keyservers.net >>> >>> subset.pool.sks-keyservers.net has been set to a minimum >>> requirement of SKS 1.1.5 with immediate effect. >>> >>> Due to CVE-2014-3207[1] I want to bump >>> hkps.pool.sks-keyservers.net to a requirement of 1.1.5 as this >>> can potentially be in another security context / zone, however >>> I'm giving this a grace period of (at least) 45-60 days to >>> allow server administrators to upgrade their servers. > > In recognition of package-maintainers backporting the security > fixes to older versions of SKS for stable systems I'm revising the > latter statement a bit. I have now implemented a test for affected > servers instead of relying on the version information. This is > currently active, and non-patched servers in the HKPS pool should > now show up with an orange flag for the HKPS column. > Adding to that, this would also keep servers that are protected due to the reverse proxy configuration remaining. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Ad astra per aspera To the stars through thorns -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTb+k3AAoJEPw7F94F4TagWbIP/RI6lnVk9SqhcXUdPK5yPaHp 1Nd2ab9b9lSR1zr9WXLmjVmULDjSRI9Fi+iWw9N7LbKaLboB+uGfzKZcbNJES9Ar PzWBo7I+K4k/HTYJYxfFdvS8VTmaHN5O5rEz4rm+YtIlM2qWUuju5vxFJ3vsdMvF 6dfXvzcP77/whd9yTQJYHDxZpERC+Eqf203DDHS2tFR6pBxQb9ZWsu9klRVmAkLi bfXEPI2hhfPqon00X0meyPBYJ66hahJvPOLlLAtyIGc3aDpJmQS5nubKb9hahSgf ucjPfMBAl+J47ZVcabnjlCOuVNdfqXSKfryxV14i6RmT5uBmA+6+3JL4f+e0XrNq 6T2LBpyQiGWzC4iSA35dSdpA96S/izHyLMbrHK0YBZ80SglzFE4e9MssM0dG0W5f LxM0uY5Hicym0P91TjGA1n5wQMMPMCXCiivmrqSYkrLRvizVGydX0xlIlg+/9M+N IO0jN2T/yRRMJ5cAiGW6SiUhCottTQjBhxLABR4bDHfaBqC9Ok0Knsqc+In4kd3z QH+Qhs7nhhb2cDXOFXhkUM3+lJi15nzGxFSEZPmjEu5nEeOJV12fOGGjwrnaLvE8 XvDTTRkF4PXFr6hJtIZAx+YeqGDUS1X92+op1CJ+YTRZgySAeAEuTiVY8X25zds5 5VOUYTzUY9PObgBAZBaq =CDWl -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Changes to sks-keyservers.net pools
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 05/12/2014 07:40 AM, Gabor Kiss wrote:
>> In recognition of package-maintainers backporting the security
>> fixes to older versions of SKS for stable systems I'm revising
>> the latter statement a bit. I have now implemented a test for
>> affected servers instead of relying on the version information.
>> This is currently active, and non-patched servers in the HKPS
>> pool should now show up with an orange flag for the HKPS column.
>
> Eeerr... I know I speak against myself but keys.niif.hu is waiting
> for backported 1.1.5 Debian package but it got green flag.
>
> Gabor
Your reverse proxy is URLencoding the input, so curl
"http://$1:11371/pks/lookup/undefined1prompt('CVE-2014-3207')"
actually gives back Page not foundPage
not found:
/pks/lookup/undefined1%3CScRiPt%3Eprompt('CVE-2014-3207')%3C/ScRiPt%3E
which should not be exploitable.
- --
-
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
-
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
-
Carpe noctem
Seize the night
-BEGIN PGP SIGNATURE-
iQIcBAEBCgAGBQJTcOIsAAoJEPw7F94F4TagbMQP/0L0me5+7MaK0lh4gN0GSblZ
IrTdeNOz742RuDwLiV5C5Ma/j5Cs+wSLwpSppvuGMTELr7GlzFEx2iQBw5+h8PKX
uEbwp8g1dYyjfJEhlbXDQKnQKizQTdf231hRBD3flYAImT8r9TIjsw6+GACMl731
wC32Yqjkx8iTbNOSLZiZP6EJ+5z8z3qfj0Q7EKAUe0DFmQP4bB54SyNgwfWV7+0U
r7FtpZLsGJvXSmEF7fAvwhj0R4j1r43IQhxcSjtdrfQ1vlELL1KExgMa4+l+KEHS
68Xp+HpErsR29RyFy8kJPPQLuA1udGEwTtRs+wBfxivT3/MyNI4THC3ViDIwHchI
9Jbl7ryeEKUWht5h6RwSO9G1YhBMEJu1Kl5Rve/zz/qpcnU+N13LLF9fIVVVpxIB
ERkFP2eC1c12OMIxehE2/k6XTnYnjp642loPSx5keoKtmndP5K+9MqljtPqOWTXp
932gVqxOLN19j4wZV/wRMMPGAo7ynNlnACR9EixF2aKObFGiEweb+1WmtFv9qQ6d
VXmNP2Zo63INbBaX9/IZdJ8Cgbn/rTf4UcdIzfzDoUCR3sEUjSj5DxWU6Lg62OmD
u03pc59/BCZL3y1SSs88PxAO1335Zv59FZ+/azlhyMv5dmplALz3xqLAfEkrrcmo
fey2KzVU70Q1BpOEhk1B
=7B9H
-END PGP SIGNATURE-
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Changes to sks-keyservers.net pools
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/12/2014 01:34 AM, Jeremy T. Bouse wrote: > On 05/11/2014 05:18 PM, Kristian Fiskerstrand wrote: >> On 05/11/2014 10:43 PM, Kristian Fiskerstrand wrote: >>> On 05/06/2014 02:55 PM, Jeremy T. Bouse wrote: >>>> On 05/06/2014 05:08 AM, Kristian Fiskerstrand wrote: >>>>> Dear lists, >>>>> >>>>> Following the release of SKS 1.1.5[0] the following >>>>> changes will be made to the pools of sks-keyservers.net >>>>> >>>>> subset.pool.sks-keyservers.net has been set to a minimum >>>>> requirement of SKS 1.1.5 with immediate effect. >>>>> >>>>> Due to CVE-2014-3207[1] I want to bump >>>>> hkps.pool.sks-keyservers.net to a requirement of 1.1.5 as >>>>> this can potentially be in another security context / zone, >>>>> however I'm giving this a grace period of (at least) 45-60 >>>>> days to allow server administrators to upgrade their >>>>> servers. >>> >>> In recognition of package-maintainers backporting the security >>> fixes to older versions of SKS for stable systems I'm revising >>> the latter statement a bit. I have now implemented a test for >>> affected servers instead of relying on the version information. >>> This is currently active, and non-patched servers in the HKPS >>> pool should now show up with an orange flag for the HKPS >>> column. >>> >> >> Adding to that, this would also keep servers that are protected >> due to the reverse proxy configuration remaining. >> > > So where are the details on how the reverse proxy can be > reconfigured to mitigate this issue until sks is upgraded? Assuming > I'm understanding your statement correctly. > For apache used as proxy, look into "Normally, mod_proxy will canonicalise ProxyPassed URLs. But this may be incompatible with some backends, particularly those that make use of PATH_INFO. The optional nocanon keyword suppresses this, and passes the URL path "raw" to the backend. Note that may affect the security of your backend, as it removes the normal limited protection against URL-based attacks provided by the proxy. http://httpd.apache.org/docs/trunk/mod/mod_proxy.html#proxypass - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Donec eris sospes, multos numerabis amicos. Tempora si fuerint nubila, solus eris. As long as you are wealthy,you will have many friends. When the tough times come, you will be left alone -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTcOXsAAoJEPw7F94F4TagjFIP/3ed04VbOOUPuacUiS2j64Zy OwEICWpQ5e2uP6ql6u3W8+hOKbF9rsgmqAUp/xDCWtRQuT5GC6ZBmQSctGBVLjiY YkMBXMTl0IITbj3mItLG1V3GWDOKvQn1feOei4CboxU5ASfSvXKF/6yMfGIoBUlM hYOAI5JR2MxCyTGefktth7e9xOmvc8CTgQ+3Qi/KCbzg5HACXLX8ZLnbr1atuRd7 g4dTOwALzwy+dGmILoOjBLukRmsXz4cQI37l3W3NZT0s4XkQgYq0LaSTejNNRNBo M8CjubB1sW2m08UMKr1g06s2tC0XaJsyVW4kqr4yKVdB6UhtVDw81Bm4oPKlchVn 63j8aN6IWipWnBa7dws28lM9xu0/UUuAPPaM4TLCVxhRqTFHbWOWUwGR5r9mvhRc AC4VDzqOkzJu6PTEX02l6MSiNZ69xjaoKaxTo5wdM24QMf6Kl6AfMFywXRJAIrgT RKoEVJhHCg0CzeGiJDaZ/mDICeVPSX+Y3324sZ/ce3uaX/0bIvLHh5FBj876eXXp EE/UyGOojVkkJ+RLbiprT6zgGpJnQQso+li+WG410I7H9+DeOsG7wN30IQl7OGjG hbBs3WwogYNh+4bvinnp/jHQ2bIQt+JGSavPqS2h+63EYVUw8brIY8o8XVw6FBxr SSzwO6wMYuximtuY79oL =psjC -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Dirmngr now supports hkps
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/15/2014 12:07 PM, Werner Koch wrote: > Hi, > > thanks for the comments. To get things straight, let me summarize > my understanding: > > For plain HTTP: > > - No change to the current code > > or > > - Resolve the name while following CNAME records to get a list of > IP addresses. Then connect any server at its IP address but use > the canonical name of the pool (the one which yields the > records) for the Host: header. > > > For HTTPS: > > - Resolve the name while following CNAME records to get a list of > IP addresses. Then connect any server at its IP address but use > the canonical name of the pool (the one which yields the > records) for the Host: header. Use that host: Header name also for > SNI. > > > In all cases make this the default behaviour if the hkp or the hkps > is used for the keyserver URL. If http or https is used, do the > same or use a different approach (e.g. let the DNS resolver > decide)? I'd expect the same issues wrt Host: (for virtual hosting sites) for http and https, as well as SNI for the latter for these protocols as for hkp(s). The rest sounds good to me. > > Use of SRV records is subject to bug 1447 and will be fixed in a > second step? This is indeed currently disabled in the pool so it won't create an issue in the short term and can be postponed to get a working beta out from my point of view. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - "We can only see a short distance ahead, but we can see plenty there that needs to be done." (Alan Turing) -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTdOI1AAoJEPw7F94F4Tag0QEQAIwVRNXzYzEwR54Ca1rzaEQA WsmiMuavhUftBo0af5KxsBizbE2fUbl6atUTOUUJVA5ySIPi9qNrGHPgxu2Ut8V3 Z9m8YJSIGKwc1R2eK3ix0W5UF1bD1pEd8TgAkX79LzqgCGFwuqFBoLBU+iEFD4Vb puUAdik9UwhkECESW91L6B751v4sUNJulaQGQGmI5FodOfHCow2LaT+rDJ7QhjJa oyG2cTblq+sy44Sk4/Bhq/2xiZVBXwhGLWl4Stx69LGi2g5qLT+G5loLGTTEqEcn BsR3uYACa6GKK+TvXJGifBLa9EkcmcfMdienQbfbWutbDuwosq3rY2YBTcPOa+Oc llqWzD5FNhaRdGojW3LMU4+l2WY3znQsv8jY0I88MDzEnU/prQzZ5s5PB5QS74oC NRh2GW4dw1DNqBt6/DFLJy7VlA7s9pLrXZbh8vY2iH2ySsMVuOhX9OYFcqljROmr zG2up5y+X9v5GNpIoejKLpdlVGDiA+3Y1n4OGPQ6whvI8ZvyEg4t+bhAzMxN3Zgh fLhm5BwmYTvQ45hO+OEjHKd3ugOrM8ZrYe1hQogsKg43Cyj7vRTeXCJRdeywyACS vKS3lZE/Wu6JhwPbCOz8yp49iIYyrrHK4sXoMZBOZZ9DIybvIX1/LpsEOpPOVpeg vjjDhvi+DxbOzU12/FZp =hzwA -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Just coincidence or targeted attack?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 05/19/2014 07:12 PM, Tobias Frei wrote:
> Hi,
>
Hi Tobias,
> running "tail -f db.log" gave me weird requests like these:
>
> 2014-05-19 18:35:57 Error handling request (POST,/pks/add,[
> accept:*/* connection:close content-length:82
> content-type:application/x-www-form-urlencoded
> host:127.0.0.1:11372]): Failure("Error while decoding
> ascii-armored key: text terminated before beginning of ascii
> block")
^^ This
> 2014-05-19 18:36:01 Page not found:
> /pks/lookup/undefined1prompt('CVE-2014-3207')
^^ And this
> 2014-05-19 18:36:38 No results for request
Is part of the pool detection
- --
-
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
-
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
-
Bene diagnoscitur, bene curatur
Something that is well diagnosed can be cured well
-BEGIN PGP SIGNATURE-
iQIcBAEBCgAGBQJTejtKAAoJEPw7F94F4TagGjQQAI0Q52r030IDGCG5VCBSbu+h
NxaWPKQ7/n66BoBixxJkV+w2FLxgj0iToxLcgOEcYhCm+CP1flG9s9AuYBWElalI
4JYosQlEUWO4So06L33ED8sBuzrbEp5ajIMJyPDIIkFz9HkU4l+97YYQdTGgXKNd
30uv1WBQpPux9lHydy1qtkzj6+iUaBxLecVhmtjI7B4YBcBN+rwNQd3F9CfTZteH
9r9DLAYldUTR3N8OP69CU/UcHHOKouUF1h06tB5JSQs0pFIYhHDd+kERpCtdZjZm
sxCVoN63onlNduePnqzYbjB8dfn8J4iEsm0Mlr3roA34JQUygkZYAHv0HXGLXAeb
49AJUChPjNKgJYJFIt70jm2ojiuHthS5Vtu7W1Y+6Cz2mYWJLVj2k135vRvUFgF2
E0ec+de4pnOhzmMInoEY3VaEzre6xQ/q9XH07aRv2Er7uquBA0kS/0h/jEHRknsv
RTebHRxgXQ8d2JoIg8vHeXEj4CQllrzYBf5oIxFwrQo2GDZU1PiaP73fXi++XADy
4sXVKoTjICTku0Lr7Y5ZA9U8gNpVhXA2IoUfgrTE6BWgG6n7e4YVHOiIK79P6vWa
n4xdAPKLOuO7wdmv4I/DjjN8w3fiJbPAh88XCtCf3j7RHLc5WWpq8QvrZ0Jw261u
0QigDnDvKXOtmzsw9vb7
=Ugz9
-END PGP SIGNATURE-
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Just coincidence or targeted attack?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 05/19/2014 09:08 PM, Phil Pennock wrote:
> On 2014-05-19 at 19:12 +0200, Tobias Frei wrote:
>> ...about every five seconds. The connections appear to come from
...
>
> 8< cut here
> >8-- 2014-05-15 14:35:35 Error handling
> request (POST,/pks/add,[ accept:*/* connection:close
> content-length:82 content-type:application/x-www-form-urlencoded
> host:pool.sks-keyservers.net:11371
> x-forwarded-for:2001:16d8:ee00:58::2
> x-real-ip:2001:16d8:ee00:58::2]): Failure("Error while decoding
> ascii-armored key: text terminated before beginning of ascii
> block") 8< cut here
> >8--
To add some context to this specific request, it is Issue 12 in the
pool issue tracker[0] that is implemented as [1]
Reference:
[0]
https://code.google.com/p/sks-keyservers-pool/issues/detail?id=12&can=1
[1]
https://code.google.com/p/sks-keyservers-pool/source/browse/trunk/sks-keyservers.net/status-srv/sks_get_peer_data.php#280
- --
-
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
-
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
-
"There is no urge so great as for one man to edit another man's work."
(Mark Twain)
-BEGIN PGP SIGNATURE-
iQIcBAEBCgAGBQJTelpnAAoJEPw7F94F4TagdToP/0gyszYZfz8D/1qLlggfKhMm
+H4gMuN5v8wVrqXb+RTuUkOg1UpQs5XKHRd1x5sfCl22gFp4gCQ85rxrfvPPjgA5
cBRbp8eobJnc7Tbt4hwjMURFEFvSUeXfu1WYjws5YZYHOgmTwpjbaO59OpOvTlAR
oS90bu51j3Q8zQHjFalo2Zh9Rv8xCbXO93ur2iXsmetSEHwYUyPUUtQccgaEVJWo
9rzoaZ7RYE2LhWSqHwdeemP12h5BscsLFESGBAOG7u9NCPifk5m2aCBD2zJ89WM7
htM8kIaABIBpHJccoF/RFEFM3Hsma4IIKhfxDSNJOmCid+tA4tImJbD6aX0GrAMu
ZilUkck5Z8s13tyTQvFbYc9Ipcs/v4L4XvU3F6EaRo2ITOS87Auu7ONNgvfiZIJB
PhJZnsxkbuXze4fOhLRnzjjlpJEHr5/MNmuGT1poYZa8MpqGpYRh4RdSNGVYeNCu
WSXGLlteztO1Z19TywNsKBn6jeVx3gcKHxxOHTunOOLqnNZtFqVdbjQEx0S2YZ+e
IhKQ1hIhaP/QvV2iyQAaVsMkxPmYyMk5Yb+uMAwtbhwpaqpysf4mmyfXnEQBJC5C
GRjkVvJJZVNgswP+JX96sZ2DcHzpuM8z/ZuJHiM2H+Gi4LGs6Hc/UVd+4qRHTFJZ
ZysGhIYv4FP1Y40cBrV7
=GFmv
-END PGP SIGNATURE-
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/24/2014 08:32 AM, Gabor Kiss wrote: > On Wed, 9 Apr 2014, kristian.fiskerstr...@sumptuouscapital.com > wrote: > >> You are quite correct, and I will revoke and issue new >> certificates as I get CSRs signed with the same openpgp keys that >> I originally got requests from. > > Dear Kristian, > > Please consider to remove vulnerable servers from HKPS pool. This > is not a cosmetic problem like SKS version number but much > serious. Some guys promise secure channel for communication but > this is everything but secure. > I'll consider this once we reach the grace-period timeout (i.e. revoking any certs that haven't been updated that seems vulnerable) - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - "Great things are not accomplished by those who yield to trends and fads and popular opinion." (Jack Kerouac) -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTgPpWAAoJEPw7F94F4Tagm8oP/R4QoZYNwju0P6/4pFtmeYTs OUIQfzr8lviHZwCzcUDJWIinqdCICTIFfG0GQ/RB3PJ982GzKzs1JtzLMGWUHyaz 5ZxX8QC0ISRwO8T/08KC3X3NzlcrgyS+HfmJUlxXmjWG+N8XZIICEzAX/JkrFyFw 7mfJZ7t13CVxWbXw0VmopLuMhY8LTy1Fgi9KQMn+vhyf6gmBRzvjabXeotiac+XN tbRq3rFXyFJgHuZ8i9OarkzlwjU+pqx24C4/JHJScfNq8XHXFh1EPND8LSAcBmel mIlTE+vlx75NHfFGZZnu8ugJd9d+hwbeWAsCAKR5tYzv2mgSNNeqIB3ZuRyaSPUw xgVECVpV6AAd+yzgBw85pOarXxQuqYNv7qWWg3OvFVl2qer2lrPyVbsk0yFgPpoo F66BB7bqlZdWLECpiI7VafmqHpjFmnmqKfsruq74Jscvis+cdk01fHXsxBU8hFpL gSHBRED7Va7YrgwxcBGr8hAIMZHdQElpBz+kYd0n6LibNHVZdT9e2fWhZCICPAuH RVmXo/CKRXU+mCSuHjANFSCvKWSWUQZnuWZS9RLkm0veNu10pZJKo/9wWcyCkUaQ g5R38JqHL0SOboXq1Jf4M3AbC5R5dQkhCi+RiVN8wo1wk+MqkldX135Yjd1UtJDt J0VHQKCtbNrhexvh/jed =yOpF -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/27/2014 05:00 PM, Daniel Kahn Gillmor wrote: > On 05/27/2014 09:27 AM, Dmitry Yu Okunev (pks.mephi.ru) wrote: >> BTW, is it right that our server is not in the HKPS pool >> "hkps.pool.sks-keyservers.net". >> .. > > the "host" command just looks things up in the DNS. the DNS > round-robin arrangement only publishes a limited number of records > of any given time (10, maybe?) -- if there are more, they will be > served randomly on future requests. Correct, but it is even more complicated than that. The authoritative DNS server refreshes based on a random 10 servers every 15 minutes. Which servers are included then depends on any caching in the downstream DNS servers, so it is quite likely different users will see a different selection of the enabled servers. > > To check the inclusion of your server in the hkps pool, look at the > HKPS column of: > > https://sks-keyservers.net/status/ Indeed, or the meta page for the server in question. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Fabricando fit faber Practice makes perfect -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJThLJAAAoJEPw7F94F4TagtrYQALCpmGDs2Rt70uvTw3iEyMfC dJXj4E0wR6jugsxRbQdS3H7VrdRPIlMzA+wd9gy5b2r05Y5OUuYRkmOAe95xAuqq eZCHeUPn+21Tkzs7ZOQJDNcR+wykU/N3NXH9S3YvH6d9KkKoCB/JacTPS2pPU+IA 7OtJYTKpXNsynSxeJbCz6fFowUeFR6gQ+n67WuQv9XD6C5lSjvz9bq6YcBp8GfML i7u2etaNJEmE7DwyNFvUldbNi88VrV3KWlCdECLud2Eo76pE9QF/Sf1bqS3+Y2is wP9RLPuWU8jCVwlbeq0u6KfEufiYwSvs+/pV0xepwskct86OJTc9w5QYaJScHUuE J9qFOINqst5Su6c+H0CZk4OgkSnZqzH81cjOm8UnR4fc/kl4a32dGgE/Tlyk7aZS cRSuCrk2VaFv+E9Uu4ySeSAPwrZsTGcl6A77tqgG80UqbnSDzHQNo+nRcM8o+A3U 0g/p1fQtI3J/LYyKJnpA/ZzibAhtReMVg4QyGpDv+SqbkQarvhzf1Mp+bCznnEOg aDiIDHDd7WfNY/VGDGfv7c7yZl1416gHlgRFiF7Ey4eXkUkpxoU2H2u7SKhY433l F0DYaY9ZXd+1gTnJ+iqsgI3XjPkIN7JPL3xaEBqAth0uPfPohExRkj1TG72skTOB pxNtrSfFaglMYvooftcn =Dx9y -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/28/2014 08:30 AM, Christian wrote: > Hey, > > and while we are on the subject: If I install my Class 2 (!) OV > Certificate from startssl the hkps button changes red. A valid > certificte is not valid. I can understand that self-signed > certificates will turn the hkps indicator red, but why don't we > accept OV certificates that every client will accept in the first > place? They will not be able to issue a certificate related to hkps.pool.sks-keyservers.net as CN or subjectAltName, i.e. the validation on a pool would fail. > > I hardly think that *any* client has the CA of sks installed per > default (nor would an average client care to). it is part of gnupg 2.1 [0] > > And the validation von sks CA is the save as a Class 1 DV > certificate. > > > tl;dr: We should allow valid signed certificates by default, > alongside of the SKS Ca and only turn the button red on self-signed > (or invalids). > Users are free to choose any server they want. References [0] http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=dirmngr/sks-keyservers.netCA.pem;h=24a2ad2e8e39498b4842bd31689f230148d08693;hb=refs/heads/master - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Ubi mel ibi apes Where there's honey, there are bees -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJThbY4AAoJEPw7F94F4TagFSQP/0HdW23IqAslOgiDUQEFICAu Okprf1lKxZSvozaF+KujKWMFzwHhuaq0QfALX7gm5CYVI23HO8W5i+cP+UNZWiTr Ey1z1tR8gUXImXS0mjGE3RBo8E6Y1aLUXYBYhXD8dJaHtMHSAIbw+MMS/LljRUPW FQIQb2yHq0tWWG7bcrMjA6TGEe41GtgEJQo9saJI0mR11OgmlEx4WFbPU7zwkWr+ 6ZaAj6hiqX3Bn22jSxXs+zC6DCwdcpKFdJJWfG9zimNiHFBquihfnTukmUYCQ2UI wPARBDq+yIvAwhvWBmbmq/QtiqAGzbsEi8fGojTkpC2jq3yMI4iOI9qeE5O66WVt TshtCLmZt9v05DKXiMXbWmE8TpDLOKpc1tXSHzxcu/TB1DY48CZMJkIdGzCRyMWy b9F0tAAKuWqybtsJ3Nehzkh6gdgfo1Qo6g9Qcki153qeuyMUMJyHq9nNg9Xwu9uF 0OvLdF2joUmGkuE1orDmq95PzT7PKBXis2eyVyaSqqu6ctNgbbF0+Eg3pgO8pofQ 8kL/zYEcOT4lRkDF0K32WUak1rWse7vhUOg7UTgSLD43N+RIFOwUzPfdJ7Jqe2rV /TwT50wyy5QTFNHSzPNRjPRXcwG6ROc3QjUjS2nWfW+h/G8s0/6oGV5oxLBeiKF0 LhNlkTnLpN8LOowc/bwP =Qy7y -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/27/2014 11:41 PM, Andrew Alderwick wrote: > Dear Rolf, > > On Tue, May 27, 2014 at 10:18:31PM +0200, Rolf Wuerdemann wrote: >> Am 27.05.2014 17:41, schrieb Kristian Fiskerstrand: >>> On 05/27/2014 05:00 PM, Daniel Kahn Gillmor wrote: >>>> To check the inclusion of your server in the hkps pool, look >>>> at the HKPS column of: >>>> >>>> https://sks-keyservers.net/status/ >> >> Could you please explain the color-codes (on the page?). >> Red/green is obvious, but I don't know where this "orange" color >> for hkps sites comes from (SNI?) > > Orange under the hkps column means that the server is vulnerable > to CVE-2014-3207, which has been patched in SKS 1.1.5 [1,2]. > > The vulnerability isn't limited to hkps, but Kristian will at some > point make 1.1.5 a requirement for being part of the hkps pool [3]. > So the orange is left undocumented as it's intended as a temporary > warning to admins (such as me!) who are yet to update their > servers. > To clarify, I updated the statement a bit on [0,1] so that servers on older versions with backported security patch or behind a mitigating reverse proxy configuration will still be included, this is handled by the pool software and why some HKPS are flagged green despite being <1.1.5 References: [0] http://lists.nongnu.org/archive/html/sks-devel/2014-05/msg00056.html [1] http://lists.nongnu.org/archive/html/sks-devel/2014-05/msg00057.html - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - "Great things are not accomplished by those who yield to trends and fads and popular opinion." (Jack Kerouac) -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJThblJAAoJEPw7F94F4TagQqMQAJPH4vqP8feK6G+KRgXgO2hX 74Y1cgGokt9tSHmnqBHPzCPE2fjCvEotCVGm3UxZWfUPc6S2Z+kFAjmBrrFLYRqE bdG5vREw1i9Rhk20qxFbK2+NZQZHmmt1vEovH6F/t4DDvdQaC8y9H7vr6Ig/r79b D8zYd++12++s6Fva8eamJbSM6XrPt2kpzb3HiMQ4SLahTzaIclV46ia7QVl5RBlY ZpgYjZZtQsAlIf1pC03+TVDAJtM8UWm/SxwT5fQ6cX9HFOUdpJqysm02Z0NL3TGS 6GqwrRJnRnfrwSXagkSGuJCAnr1RJFtd5ijudP5g/Mmavtiq21hpaFRQKpaJXE3A PMqe0jO3gKYOoXnNagYlsaU2Y+m0UqrUdgF4hiB6DwbXewvO0epnv99TMrxSw3Bw upwFiCkcGR11YtJvbkQ9bWaSpKucMo9g8Fo8zKLt9pqbJ7MeqX2Sm8wGISx/x+Ot dCDxI4xEPhrcBGO1PXozJS3CCtmaOUaxBZLiuwk0BTQoGDnLg8WDUPow9KQ66XNf u4XbosTDfRjE+0jAAm0HG2g8yrRaF9jYb7qk8rQIr2SHj/xrmgzC6mbqe1TCgnl4 51JeOPAHgIEnRA7YDINhfIGs0C+9xSNGm4dJuuNOwF6Iar16WsrtIIBAk7gZOcOi cgCyqJhTfZBjx0JmVHec =IoSI -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/28/2014 01:05 PM, dirk astrath wrote: > Hello Kristian, > >>> I hardly think that *any* client has the CA of sks installed >>> per default (nor would an average client care to). >> it is part of gnupg 2.1 [0] > > hm ... even if gnugpg 2.1 will check the CRL (i assume, you don't > (plan to) run an OCSP-server) ... > > when i access the keyserver-pool using my browser to have an > encrypted channel to search/upload/... keys, the revocation-status > of a certificate should be checked. > > currently (without the CRL) the expiration date is the only way my > browser knows, that the certficate is no longer valid. > > ... and ... yes ... gnug 2.1 is not "every client" ... ;-) > > have a nice day ... > The CRL is published on [0] as stated on [1]. You are correct that for a few of the later certs no CRL has been published along the cert (mea cupla - I made in my config file). However if you see e.g [2] the CRL distribution point is back in the certs. References: [0] https://sks-keyservers.net/ca/crl.pem [1] https://sks-keyservers.net/overview-of-pools.php [2] https://keys.digitalis.org/ - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Testis unus, testis nullus A single witness is no witness -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJThdIOAAoJEPw7F94F4TagCu4P/1BXlwftSFlH+IHi0F3oCPTP Ez+mmNZXViJXP7y9SVZAze1NfMy8XqbDSaLblDDLu+GeJ0ejYXBstRAMFb2imPER 7wVM3Ql9l6G1GDC6mmIGEFvzbyH5jo4gGivDgPySWgmstNo8uoGAOcCNHq5i4LjR F+i4t4z1Sa+fa0HZ5tqFtdRo+vVreoSP4xgsK7jIho9uGgb+XBm9ndJC91IlC4YC p3YVyNG+Co1BQGRnmybh9OBV/gcoScL/13XZB/RhF58DPfN9KJXp0+u1YDZGOHvH tyKD2xBsQcDnw7ME/JYrEjR3GHv15w9BRHUy3045I8BonYHQNX8lpOo17j6QzpZi eaMF8B1GEgyn+NBfGLaeEIU+kDiCDDhKoZep0y3kJn7XSzsfThrAjq0ygH02b3WM lrF1HKSvAhzA+l21rnbuQUwjM+EHQa28ytfxdCoZ0wqs+SHyO111fGVH9+X1WTu6 VyOQZLA8H9bqQm6jlJdxcX16Jo/tyMZJ61d/TRoII7bqK0mE5tvUiD4Wvn9qR5pt 0U+2csTC5/Vly0FF6iN6a3IgtyM8/+9XiS9PWVAvt8b6SGgE6jUyTbtJcR4oi+Mv d3R5xUkIfx6dgeYB2Se0NRZI1lJeoCq4QXzmF1L+o1NDriFsIFReMqmZPuuQKknP I8Bt3mY9SzD7tRWOC0nE =U8KQ -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Peering request from Zurich / Switzerland
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 06/06/2014 03:21 AM, Phil Pennock wrote: > On 2014-06-05 at 19:37 +0200, MSW-Technologies.de wrote: >> we have just set up a public keyserver located at: >> >> gpg.directory 11370 >> >> The server is operated by NAG Netbone Digital AG (RIPE member) in >> Zurich, Switzerland. > > According to <http://gpg.directory:11371/pks/lookup?op=stats> you > are running SKS 1.1.3 -- this has a known cross-site scripting > vulnerability, so you're soon going to be ineligible to be a member > of the main serving pool, if that matters to you. > To be a bit pedantic; a requirement to have fixed CVE-2014-3207 will only apply to the HKPS pool initially. > > You also _appear_ to not have a front-end reverse-proxy in front of > your server, which is why you're showing in red at > <https://sks-keyservers.net/status/>. You should be aware that > SKS serves a single request at a time, in the one thread, before > accepting the next request, so one slow client can DoS your > service. Best current practice is to deploy with a reverse proxy > in front. Total number of keys: 4 << is important to note as well. There is no keydump loaded as per Initial Keydump section of https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - "The power of accurate observation is commonly called cynicism by those who have not got it." George Bernard Shaw -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTkVqEAAoJEPw7F94F4TaglCQP/A3ri6oxvwOvzFsE1e1ip+5T GreiZyHaIv2rEFe7Qm6mOvUSD9POsx1XtVn1lhswJw6Of+WLhF1cLxmGzbW1Gt55 3dKKBELHoUV9pQbEwKAWJ1kRPoJTfuuMjSI8i73qNjMXTJ6tus6fvWk4MXbQoR2s uL5q6YC1mJJyem9YWv0sBNXFylU2M/X1J3HhsLEn5MshzX2oHJ6w2G/X50kbiQhB WDPkm8eyVISbgZDay7vOkKl0P3++4jzk/I+0s9hbnkVBYc/wLJujroRWPmnWEEhi xUXli+Yu1+pmKPHA+thXxTCm2B7HQsffMd0nH/IuvBfQ8yBtYQkgLRqDzw/Ru+Dz C8GpyRviTLF0kNN9ow2+UZe2f9xk1uYlL/iV4kqcSQidNt8ioc2/X9jYT5KGhJ3/ ZwRepPhcrgwudx+qJuht7LX4ZlENk5Idv1eGpAHKIb9ruO2ubYcnJKHAboy50gK3 ZScRCYisf25DnMloAWfswsmp+xFMsya0uRU5PSLrsUOGe5vpj+gBq3PZnzCHW6J6 kVc/pfdz+k3Il+gt86J9zWO0kdUqKDr4CflTFoH3XYlGJesUGHEUadjHAqYRzHXE 1YjLkuuVpB8Vvry89lfQbucaQ1qf90Q5l48geNwzFc8DT+VaAcn4KHBS1e1Z5yMj hU46lKl4UVWPYpqtUjDF =CoVF -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Changes to sks-keyservers.net pools
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/11/2014 11:18 PM, Kristian Fiskerstrand wrote: > On 05/11/2014 10:43 PM, Kristian Fiskerstrand wrote: >> On 05/06/2014 02:55 PM, Jeremy T. Bouse wrote: >>> On 05/06/2014 05:08 AM, Kristian Fiskerstrand wrote: >>>> Dear lists, >>>> >>>> Following the release of SKS 1.1.5[0] the following changes >>>> will be made to the pools of sks-keyservers.net >>>> >>>> subset.pool.sks-keyservers.net has been set to a minimum >>>> requirement of SKS 1.1.5 with immediate effect. >>>> >>>> Due to CVE-2014-3207[1] I want to bump >>>> hkps.pool.sks-keyservers.net to a requirement of 1.1.5 as >>>> this can potentially be in another security context / zone, >>>> however I'm giving this a grace period of (at least) 45-60 >>>> days to allow server administrators to upgrade their >>>> servers. > >> In recognition of package-maintainers backporting the security >> fixes to older versions of SKS for stable systems I'm revising >> the latter statement a bit. I have now implemented a test for >> affected servers instead of relying on the version information. >> This is currently active, and non-patched servers in the HKPS >> pool should now show up with an orange flag for the HKPS column. > > > Adding to that, this would also keep servers that are protected due > to the reverse proxy configuration remaining. As only one server was left in the HKPS pool that hasn't been updated to fix this issue (or behind a rprox protecting it for it), the procedures have now been activated to discard this server. As of now the HKPS pool should be safe for CVE-2014-3207. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - "Excellence is not a singular act but a habit. You are what you do repeatedly." (Shaquille O'Neal) -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTnMpkAAoJEPw7F94F4TagbFkP+wXnRmKov3KATlrsLjwb4jTY P2pcUJ6qtj2zTx+5avTainQ2UACQbW7SbufqEguDjrGgS6Uxb+cEeQpgKSG+5CG/ 7uECVtC4z//wbHuNDF3H9gaSwVZW/B4y8XsyS9Ib2+6sJDB5aMmw5vPHzZB56Oy1 hdWMgVfAS4NGYPWrgQOQiYZa6qOdxmftSAuTatP12u2CIiYyeCrVuFwqZEYx9fXD FE/ld98CFbojumknMgtoWO3HRlT/dQdKbaU0ENkg+m26g7fEWp8JECm4sqI/auf/ OGF4/VuZorHvD+liCjCutN7BwhBsHl29Ty0M+JXN5IvfP1Tru+q4Ak5oKxuR+k4j rXAb5BNL+OEei2BMSGo+Ptqnszj92DfIYAy8YQFjgHP89pHsZKM8ySgMWglz+wnD IXMClZkRrqRU/3kE3cFzqMTm6HIknKWQK+ebpuNSikQfemfZ/7f9wWIbAoSM1nhP Fj29Lkxq8qoaWNeNtCZyKLuwBGjQNEwuKE3RRNe8cEHGr9NJQ/jxlU4jxzi30YGv rMOggA+LKRf3DxWY0dzxkWJPGOXfYdCj+k2DkCX9LubhR/jM2LhJvCKgNsOVyuCJ GjD9OT8tV7dEHNHcVM7JdfHSso1xKogQU0x0qrfd0PH8+kO8HH0qGDKSRwbjeZsM PDgQ9b4icGqo6ooDm9pg =AEFb -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] new keyserver is running...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 06/18/2014 03:25 PM, Michael Albrecht wrote: > Hello, Hi Michael, > > I have a new keyserver running and would like to peer with other > servers. Please add me to your 'membership' file with the > following entry and provide your details in return so I can do the > same: > > keys.fischerkoenig.de 11370 # MichaelAlbrecht F7874EA/ Is this keyserver operating behind a reverse proxy (it doesn't identify to do so), and what is the purpose of pool.sks-keyservers.net and eu.pool.sks-keyservers.net in the peer list? - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Fabricando fit faber Practice makes perfect -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTogQgAAoJEPw7F94F4TagUGgP/1lJYSdEfmHdtDEIfvW77iKR do+1V7hDxFKDH3zbIitX3+D3eIoJUgocfahgrBeBZc2vH9SfRhv7lihh1co64g52 5KkuPCYIaAMzLDC7PaKt2duveZrOSaPg1TVg8gdzyHOwTHGVP3yVMSCrzQZCp8r1 3Fb+Up1CVwZGaHQ4maItPBqdEP3zjqiHYbkxivTyuQDuKREhPvhYq1wbA9/mL7QH oam4EwC65dJE17GSBv4mi5L6WihOtZo8eEMM3I8MUarNGRZi26QDh5YtiElq/auf Q22StrmtSHfkth3nem/7ohejhJtds7aAKq9oiZ+dpH+7RA27CK5ZWNP5b9S9/HVW GFGgUkZeL+9CguCLAY29oE3DAopMao/EbRVRc6PgBe5628aQArIJaoW6e5xr7R3I 3WN7GPSwAZzy3euYfRqbvEoSvKcHfKxAzdf7CdZlDx1/bRN855MSWkIlfkDqDmry I8Cpft7KIgU7/vbVNgqlwDl3yKoyUQ1eshYqGtiDZiH73Jj1L7rRe0mYeMizoz6K WE1qa1OTS9VIagkG8uSQW3tb6pszAJYeMKsxtqAM70elEo1kwGlCZ2DF9QVQpIh/ I+DZ6RMdwo0S/GnvGUGggKfORwcI88FTMPK9GK42lUB1PTkfKUwVL235mUYPV1m9 zQ+lqKf1F+nNDSsO081I =211x -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Problems with peering via NAT
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 06/18/2014 04:07 PM, Christian Felsing wrote: > Hello, > > I tried to set up a peering with a SKS (1.1.5, Debian wheezy > backports) through IP-NAT. Now I got following problem: > > 2014-06-18 10:34:28 Requesting 100 missing keys from [*.*.*.*]:11371>, starting with FB5408362D6C750E24A6551BE4336538 > 2014-06-18 10:34:28 Error getting missing keys: End_of_file That should not be an issue as long as the appropriate port forwarding i set up. Can't debuging without knowing the specifc server, but try connecting to the reported HTTP port in /pks/lookup?op=stats of the server in question and see if you get a connection, this might differ from 11371 if behind a reverse proxy and listening on another port rather than just the local interface on the same port. - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Fabricando fit faber Practice makes perfect -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTogR2AAoJEPw7F94F4TagWF4P+QEuYSL/hQcraNxSiF1gbHkX CEeMasTvuScP/NG+C4vAef2CyG8JZVfUrgFhisyYGx8PBqPPw9yfNQRJszQtzARd JuiStcSkEb3pbltjjB5Ao5Af/PAWnvHATA4F5tpX9U9xZWvJY+iMp4LhxuI2Nf33 8rY+5VhmHRqxRUqLyOtaIrroKRl/c3acYqGl0hVRqGhoO/NydGbDEeoIRTQ3UxD8 b3x7NyU05CqsEw4H9ihqC9ztW6R1jKsZy0CJYfeZ5WnJhQmrB7Z2hzSIl/6Ku6gO L7Qlj0K9cJ7nUeXdApG8WlQIbKTI1osOGq7bBHLJUtolucNaEkkzbdwjKW5+4fQY 9xl9wjcpFpxUUr48nnChazOshIW8Y4pbvFzCoN0JisFe78pKBLr6rcYLfrfemLvw Z537VqQQbZgA1InwA9syV18qTxPtnh1bOT6NDouIdpSWI/sKIl2skv2rV89ap1SC bcerVaU6+qz//7e1v2r705WRUV036vSdS0W0R2VF5WevuUlFJIL7ih6LLJqJ6zjL 4+BdTYl6Ui6hTqvgz/LFZIxOyjaTwXp0qcFQ8Cv/BunOvKvtAtCsQmiDLvEcD2zU cVS1b6+UD8CJ+T6itVBRSYKM8Mi2IFEqyT9A74gA4WP+PXMcqXh7gewSPOSDW/Vp lUKYkBMpK8LVpu72A6HD =Axj9 -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Running a non-pool keyserver & identifying offline peers
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 08/01/2014 12:08 PM, Pete Stephenson wrote:
> Dear all,
>
...
>
> Is there a way to have the public and private systems stay in sync,
> but privately?
One option is using a local hostname in the peer file and put an entry
in /etc/hosts for it. Another is that I can put it in the global
exclude list of the pool.
>
> 2. I have recently observed lines such as the following appearing
> in my recon.log:
>
> 2014-08-01 07:21:36 error in callback.:
> Sys_error("Connection reset by peer") 2014-08-01 07:23:38 client> error in callback.: Unix error: Connection refused -
> connect()
>
> I assume this means that a remote keyserver peer is offline or
> otherwise not responding to recon attempts. However, the recon log
> does not indicate which peer is not responding, which makes
> diagnosing the issue a bit difficult.
>
> Is there a way of determining which peer(s) are having issues?
This message also shows up if gossip is temporarily disabled due to
the server currently being in a recon process with another server, so
nothing needs to be wrong per se.
- --
-
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
-
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
-
"Be a yardstick of quality. Some people aren't used to an environment
where excellence is expected."
(Steve Jobs)
-BEGIN PGP SIGNATURE-
iQIcBAEBCgAGBQJT22ugAAoJEPw7F94F4TagBOoP/16QrI5zZpG/FZSs8ZaVFw9G
DcMPn0ESaR6YWorLvitdjXwV6ivUSrTdtIdOBavvROT9VAqLdJsbfo6kjttxTe2Z
4mkI6DTw1E4nZlQopdTO6Yo59oBxEn80+V89Q87M4J1WCVEPxKfTOE+TDwIxJCot
M6MownN9fIFYP6DJQ62wsFJary7tK6KW6Rtgh6ELYUyhr0l2y/oKkWWAaxtnopwa
GvqveF9xiqoPhc0R70uvNBY6aT8wzUHdzaFAOczIJPZ3pVCupcBOk3DQMNPLVo6e
2+ue+xDGUulPXYJXERWx4XjMgi5x4V0JDKjGs5g8aHC2PlR+ECrLIZRzLc2xhd57
R7NFdRRQJW4pqkt/VIe3pt7a40S43tsEdxbyXbwTbV3d0jpZ5/6U+rwn8sjR8zii
7uGiN5xtxrcetHbPH84zzoZpFZ/EYEgcP+XZMPWW8IFbyIc1wJkrgTBJvfvGL+td
eoSDJmiBa6D2zCYQYWLuRj47U1fKCxNwrCgrzdOq5Eho2hvNso2J5b34W76YiA5+
K1OvGxPYsdbKD3Mje8b1+6QX1vypQcxoW8g4egatsf6XKV8+mYrWjpW46DhlrAGh
r48eXrVKk65jO6+Lp8Wn9QLI9LTqmZPQGbUSnSm2bRRXzRs8sXTqpEQGV2IiMpP1
KD4DOZZCtYbEyQz99Iuy
=cklf
-END PGP SIGNATURE-
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Running a non-pool keyserver & identifying offline peers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 08/01/2014 12:50 PM, Pete Stephenson wrote: > On 8/1/2014 12:27 PM, Kristian Fiskerstrand wrote: >> On 08/01/2014 12:08 PM, Pete Stephenson wrote: >>> Dear all, >> >> >> ... >> >> >>> Is there a way to have the public and private systems stay in >>> sync, but privately? >> >> One option is using a local hostname in the peer file and put an >> entry in /etc/hosts for it. Another is that I can put it in the >> global exclude list of the pool. > > Interesting. I'll look into the local hostname thing -- would using > that method prevent the private server from showing up in the > "Servers currently not in the pool" listing at > https://sks-keyservers.net/status/ or not? I'd still show up in servers not part of the pool. > > I assume that since the test systems can't access it then it won't > end up in the pool. > Affirmed. ... > > On a related note, I propose a feature for future versions of SKS: > add an "OK/Not OK" indicator for each server's stats page > ([keyserver]/pks/lookup?op=stats) so an admin can easily check if > all the peers are working as expected. This is currently done at > https://sks-keyservers.net/status/info/[keyserver] but it'd be nice > to have it locally as well. How would the server know if it is good or not? A keyserver can run on a stand-alone basis with 10 keys for an organization and be perfectly useful. E.g. I use single instances for key signing parties to receive keys to auto-generate lists from. So this doesn't belong in the server software, but on the abstraction layer. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Cogito ergo sum I think, therefore I am -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJT24D9AAoJEPw7F94F4TagnHQQAKXXjGB1xjEPseIGyJ3Ghxib XLBlDPJpHbOvf1cIvSweklFIxKTiGSD00/bXyw6s/eFp4U97DBUfc9rUopPvxzMc q+99pTn/jGL7QBVizTnykk8LsCOSinTCEVG3lxapGrdzX+/UPKWfMdcr/Qs1XrI6 9ujkp3UKRJD4ehAOqoveXQZxcCgVdpv/xEXwyLI6yA1RRF6vjPRLnPUDg7oBpYKl fBc8O9WuI8y/NcS7WSssWNTFr7NT/1RiSrQQWGkl7B3L5WDCYlW4T/ylBJV5rh+P OofpJZIVk+x/fY0hx2CfMV/CPVImZhzn5oVwyg2rViXzyICgy0rU43O+UVjXg3IL g31aBLbbCCRIWSHNQA5cijvju8L+8CfN5p5FPpVah29YAPgNozr8t0lB8IoVQ3Eo VyO6Ufgxw9ePVo+y2BWerdd4XumNGMkR75adDiQfvhPBJRlo2+dCvZhHkaVAVjOL ZR+nepoblxjrvFP5Jg/LCuk22CiVsNiXJW9GKUGv0+RusCHjCGYioVkuTiDBCbc6 U4DsMzquJLxIfs0w5NKiekneiSeiZOf3E4s/XdfJesGW+4QYQzGCrJwqBSo8AXx7 65mJmp/XePKLCY48EGcu2oMJZeVdD9Cjb2sktkvbB3Vdcb+AG+e7zBwaaEQuywYs R/CuiiSLYIJZlzjxgrnn =djs1 -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] New SKS Server : PGP.ROOT.GG
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 08/09/2014 10:56 AM, Mathieu Bodjikian wrote: > Hello there, > > I'm Mathieu BODJIKIAN, from France. Hi Mathieu, welcome to the community. > > I just set up a new sks server. I imported a full dump (date of > dump : August 3rd 2014) > ... > > I'm wroting here, to know if somebody want to peer with me ? :) *A few notes:* These points will make the server not be eligible for pool inclusion: - The server is running version 1.1.3, I recommend upgrading to 1.1.5. - The server is not behind a reverse proxy - The hostname sent by the server is ""pgp", which is not a FQDN. Misc: - You do not provide a peering line for the membership that can be used by others. - For the message to be OpenPGP signed and matching the key specified in the server_contact sksconfig would be nice. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Nunc aut numquam Now or never -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJT5iuBAAoJEPw7F94F4TagR2IP/1X8LXDgkxm+Ar9ME2/pPtnT VtJnUyCZQa5rn6CklxKbA0QkiAIErZFSwqdAb6TqG6Xwja3SWMw14levZuUH4XPk IWgKKJJCPSLu0Q9EIXPymgx7DVfAd6wgCLPfvZ89vqilDZrzZFCYm/PPuaDQppOo jDMcGBA71NnsDTq0iMc3K/sbdh3M2Rkju+c6rcsV18VsrqM3AdltHj8vmGWW4/Tt vh80PU6XuVBII8bOSsUMRL9SdHHlz3t+7U6xt/QN6ZNeF6m92cU5Me9tmYDs9kMk /3Z0y/bDalg8o1IWwS0Dh3zWRKv2l8K4WXgv/AKs/c4PtGors3yEnZn53c8JeRLY o7TdNjbzy444nw19e59aykuF8kUEa4bF1ZEskL+IJynL0oNFKKXcmkbmncRoJm+b ioiGyRp5Eh0sumZXeVrRuJSjNIGcygyRQrSDXMi3+7ng1uR/7oOAkOXQO0u3C9cE TBOeUM2PpdOEPh0JvLIkXBcxg+B2+MykXVMNp64UtkbN6CQbqNuLWzR3gSBt8L+D jAQl7euqChwh/9Xj+wqb1J6tUA8cVZRVZne1nWXkpx6B0v04leSYueMkrfuEjkFO w4QGxW3n+w38wtSLau4+mWtbKw1gmmyrMySpaJrDfp0hYPYZULbiVtoryAGa7nLI 4NVzpQMSxNig6asuNKXG =+snF -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] "quality" of keyservers offering hkps
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 08/14/2014 02:12 PM, Christoph Egger wrote: > "Kiss Gabor (Bitman)" writes: >>> - mitm attacks may manipulate up-/downloaded keys >> >> no >> >> Every uploaded key can be manipulated legally by anyone. (I.e. >> you attach a new signature to your friend's key and you send back >> to the key servers.) Moreover anybody can send a totally new key >> in the name of you. Public key server is like Wikipedia or a >> piece of paper. And everybody has a pencil. :-) > > You can still block certain pakets from up/downloads (i.e. not > providing signature pakets for some key -- kind of a DoS when > checking a trust path) Or even more importantly, providing a public key where a revocation signature has been removed. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Nosce te ipsum! Know thyself! -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJT7KpTAAoJEPw7F94F4TagP7kP/AyX57IC3nhGIe7whBdzr5SO Ib2J/ORJbR3wuYmbf6tT/g347W9RXxRXhu37fQi3Iu2iFN3XAhbPZpwIdZ9lo0Q8 bfigpsdrCjLYnW1ll8zqB2tPwexeJbKxzI5RXvM5xXBna2vWAA+oeN6XaPLU9zVU Bw2ST90T6YOP7q5ShPI0aqcuKZx4wbttyAYyvd+IES/hhf4wUe4Zbbqdry4eRXEU j9tvw0kH7Ey7NO/SAM1IGTqXMxpMZZQ+ZMIL1QPK8UtvXdI0dKId4U2mLjHdbv4g xFSfvtRl/7T1pggDdgB1abCLAwqlup7q72QFYhp8Fq5gM3nYIuzRmRrFZkTyRw+m RZDYUouhSM/qPMwBLFRjEwiWXXjua/gJWBmXLmmsshFSKxftiB5X2J3MjdFaJfmq 6RQ+AHkndwxP47/KyQ2vUVhVO5f1x5Ctjg7ASQLxhdvGWLnGeGEANXEStPBLXBEj t5QgDNmeJL8/uCnpr7iqlcsPpTsYBN4Ivx0PV0HRvYpuuIfTKQiphruWF5+1Teog IOqH3RKOMbkU5r4Pj/DsWbg4DGTuxV9KkyDv9IZtqoiegcaB9gcLsYCHRjh8q1gt SCosH5AmCjGo0GRI4VjRt5wHu28VtJ2jSQD9AtncgBEBQgTT9lwIdfExe+1xsZ8m +f1oVKBMBXRmFbYS6QPf =nzIX -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] "quality" of keyservers offering hkps
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 08/14/2014 04:04 PM, Pete Stephenson wrote: > On 8/14/2014 2:23 PM, Kristian Fiskerstrand wrote: >> On 08/14/2014 02:12 PM, Christoph Egger wrote: >>> "Kiss Gabor (Bitman)" writes: >>>>> - mitm attacks may manipulate up-/downloaded keys >>>> >>>> no >>>> >>>> Every uploaded key can be manipulated legally by anyone. >>>> (I.e. you attach a new signature to your friend's key and >>>> you send back to the key servers.) Moreover anybody can send >>>> a totally new key in the name of you. Public key server is >>>> like Wikipedia or a piece of paper. And everybody has a >>>> pencil. :-) >> >>> You can still block certain pakets from up/downloads (i.e. not >>> providing signature pakets for some key -- kind of a DoS when >>> checking a trust path) >> >> Or even more importantly, providing a public key where a >> revocation signature has been removed. > > Is this possible? Certainly > > My (albeit limited) understanding is that SKS is an append-only > system, and that it is not possible to remove key packets that are > already on the servers. > > Wouldn't a bad guy: a. Need the private key to edit self-signed > elements, like revocation signatures? No, you can drop the full signature or just use a copy of the key from before reovcation was appended. > b. Be unable to remove the revocation signature, as SKS servers are > append-only? > Not in a MITM scenario where you don't really talk with SKS in the first place, hence a very good reason for HKPS in the first place. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Timendi causa est nescire The cause of fear is ignorance -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJT7MJPAAoJEPw7F94F4TagfUgP/jCCNLaGvdk+OUk9x6P9rCXL HF3S69oKshq2ptalsyUI+3yEOvRuM40q7Syd0i7r9kl3irrPAmKXOfIt+JAaLTbS yYYaUiMJXyUctifdj0vLAj48Us/6GET7jOeuflD/9lB8MFR+iIKbdj/wIJEkbfXd +PFAdozfE8kJ6ziGnXDZ6xp1TPDPKiOZ/FVpKyKZ9CJj+KqYHHPFKgt5L5ynEVcj 5vFdtdI2jTkYQ2vDX6GsM1ukhxnyhtxLDPf2L4LcZFgK/o6/ioLq/Qss2KDyC99Q BF+jiRtRFCJ4exnaEKPzzDW/rdINX5NTUoM+OXZPVi1wP0x54TLPqKL1aso8jwHN y1dSgmyVbS0SXfQAM88ZWO6vmgBEPdchNezb9Fqsvs7n9k9X7/RwpeezJomPXHrB 58ZzD2g8+iJluof6SWiKtH4lNMoagPoSWzlsNNvod4hzt9aDWdl3GVl0kPxqXTXw MUB0iZSVgLaGYLX7rgj8cNyKx+odMfEw/H0v1zaUUplshGQZ/HQwRkl+qqR1hXr/ 9+zWAlZm/KnQEy5Zq3USZqYRARK0dJk9RbnjnJu3C46UJ4J7hfRB7u6tKEXSPtuY MGoVkGLms16bxTsfaoEkNgUrvMaI/TL625DWJdknBgtLFg2uT32vNQMFBmFV8Ztb Ux3SsCGuYLmp2qrKCF5v =+ktI -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] "quality" of keyservers offering hkps
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 08/14/2014 04:36 PM, Pete Stephenson wrote: > On 8/14/2014 4:06 PM, Kristian Fiskerstrand wrote: >> On 08/14/2014 04:04 PM, Pete Stephenson wrote: >>> My (albeit limited) understanding is that SKS is an append-only >>> system, and that it is not possible to remove key packets that >>> are already on the servers. >> >>> Wouldn't a bad guy: a. Need the private key to edit self-signed >>> elements, like revocation signatures? >> >> No, you can drop the full signature or just use a copy of the key >> from before reovcation was appended. >> >>> b. Be unable to remove the revocation signature, as SKS servers >>> are append-only? >> >> Not in a MITM scenario where you don't really talk with SKS in >> the first place, hence a very good reason for HKPS in the first >> place. > > [re-sending to list, as I inadvertently sent this response directly > to Kristian] > > Ok. Just for clarity, these attacks are only possible in a MITM > scenario, correct? > > Am I correct in my understanding that the bad guy could only do > the packet stripping if they were MITMing the client and presented > the user with the desired key sans the revocation signature? > > That is, the bad guy can't upload the key sans revocation signature > to the actual pool, since the pool is append-only and so the > revocation signature would not be removed from the pool. > Affirmative. Or DoSing the client so that no request for update of the key containing the revocation certificate is in place. Or the user's operational security parameters are insufficient at updating certs regularly. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Fabricando fit faber Practice makes perfect -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJT7PAcAAoJEPw7F94F4Tag+EoP/jz5V0gBQ6njInm7k7mvL8CJ 2veLIqoApZoq5bihoMRcsx/4zDjogRUVHf+MUhEHpmCN4QEmFcUurLxh3VTK1yYQ eJmsL56K1+6q83AxX4lfjX2hVpvfv1VdrF35dUwEBZF3vK3k8UTPtYD2XG94Qpow w93y9OBNtN9jgROuGBrWJki/Wi4dwfpVAxpPKclARZC/c4y8FZw9txiGAV4xwt18 Ckf3iEL7aKdbcWfe8HU2c1Ur9l1tMTNiSC7ZPmHHCTfjur2oM+tsx1WpYuLT38Ax CI7w4Qt1Vp6wSjEQB6Q+uE70fVCT08rAEE1M7S2cIjsW+eoJzrOliG1i+JI9rsLt yMzJVhjBDxJJCfU63aWa03IbaULQPc6zGG/haYUPzqmgTG+IBkEu8i5UffAIL3JI sFXE4rMBGin7EIra7fdjgsrbt8suVqlOtm4SNRhvk8Yo9JlgogB/hLG+u//jZNZW szFt9k/yrU/XfKP/tqSMHQmzNjCzZVzezkYZK6rz8rez1a22hKKudtmbQXylGkgM /MbO+8UVUCnMA4petIlDVIPJ0viveIpduro5IVqCwCyFuOijN7gHyebqy/LjfuCl G6SDcbjKBnBqqLpww4uyGTz8i2t+UakIy7vgEQRr1O8p1FJLNZ3zUBI4vA3HBd2q EG66xQexKq6YjGZZUJdh =lj88 -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Fwd: [openpgp] EdDSA/Ed25519 I-D for OpenPGP
iting an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. [RFC6637] Jivsov, A., "Elliptic Curve Cryptography (ECC) in OpenPGP", RFC 6637, June 2012. Appendix A. Test vectors To help implementing this specification a non-normative example is given. This example assumes that the algorithm id for EdDSA will be 22. A.1. Sample key The secret key used for this example is: D: 1a8b1ff05ded48e18bf50166c664ab023ea70003d78d9e41f5758a91d850f8d2 Note that this is the raw secret key as used as input to the EdDSA signing operation. The key was created on 2014-08-19 14:28:27 and thus the fingerprint of the OpenPGP key is: C959 BDBA FA32 A2F8 9A15 3B67 8CFD E121 9796 5A9A The algorithm specific input parameters without the MPI length headers are: oid: 2b06010401da470f01 q: 403f098994bdd916ed4053197934e4a87c80733a1280d62f8010992e43ee3b2406 The entire public key packet is thus 98 33 04 53 f3 5f 0b 16 09 2b 06 01 04 01 da 47 0f 01 01 07 40 3f 09 89 94 bd d9 16 ed 40 53 19 79 34 e4 a8 7c 80 73 3a 12 80 d6 2f 80 10 99 2e 43 ee 3b 24 06 A.2. Sample signature The signature is created using the sample key over the input data "OpenPGP" on 2015-09-16 12:24:53 and thus the input to the hash function is m: 4f70656e504750040016080006050255f95f9504ff000c using the SHA-256 hash algorithm yields this digest d: f6220a3f757814f4c2176ffbb68b00249cd4ccdc059c4b34ad871f30b1740280 which is fed into the EdDSA signature function and yields this signature: r: 56f90cca98e2102637bd983fdb16c131dfd27ed82bf4dde5606e0d756aed3366 s: d09c4fa11527f038e0f57f2201d82f2ea2c9033265fa6ceb489e854bae61b404 Note that the MPI encoding rules require that the value of S needs to be prefixed with a 0x00 octet. The entire signature packet is thus 88 5e 04 00 16 08 00 06 05 02 55 f9 5f 95 00 0a 09 10 8c fd e1 21 97 96 5a 9a f6 22 01 00 56 f9 0c ca 98 e2 10 26 37 bd 98 3f db 16 c1 31 df d2 7e d8 2b f4 dd e5 60 6e 0d 75 6a ed 33 66 01 00 d0 9c 4f a1 15 27 f0 38 e0 f5 7f 22 01 d8 2f 2e a2 c9 03 32 65 fa 6c eb 48 9e 85 4b ae 61 b4 04 Author's Address Werner Koch g10 Code Email: w...@gnupg.org URI: https://g10code.com - -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ openpgp mailing list open...@ietf.org https://www.ietf.org/mailman/listinfo/openpgp - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Prævenire melius est quam præveniri It is better to precede than to be preceded -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJT86+VAAoJEPw7F94F4Tagv+oP/3OobI6ywzq7+HW+xU1wLiQQ SgMrNki+H9cseFEbYPqYrV+w58boj1upBK9Fyx0nRuUb9c8WuFKeLzP5h0x3qNQt /f+zQ06dVZ0i/BuYztXGAMjSbmAnlgXk7QsLCOR+VkwlqjJ/OXxPzTa+5sA3FMzc eRwPhDUbJs/OOL6vNFMUEmf5Z4xTy2rV9seC0Vksl9Ut3hATA01BWCNrBFPUPhmg KL8GN86Wh+cl36Ib8PwrCHMxr75XbT8iI0ABtL1rKpgkqsljeo4R/VcAciAqMEIH HtbN3GqDsW10vkgPuQWLQQMfOFEvTOVC9U6HCON8rm6Qcg2zzT8KE7mHTykvHu0X vTHzXJ9pe9Q0+Zw09v0UF2G7x2QvYIbrtrwpJk0kH8wvQX7vsOOeeIe001bYEc8y FoLM0mYdwOPwuHRan29qpfZO4291y3cpybV2Ydi7vuMu1PkKbb8+9RLBDKtTx13W wzuYmjWjeF5e7juUHymJLwQLUYDckR/ZFSIybdxoe3LRqDyDrbLmmNF7EQ2ZeATL DE4GNQoU8z5YZbcVZ30xe8UvdLD04mEsstRdfVeqw05vNXhAQCalTSKDLdr6mHpS sDIrCUQGkJTYeSEamKrzHin8a6nxR4ZzFVKyHsYLhkGq5OiJCropAudsPZ8Z7+ul Ubj5zwpzmfL3OmtC6YTy =zqUH -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] redirect http to https?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 08/19/2014 11:39 PM, Jonathon Weiss wrote: > > So, a user suggested that we should redirect all http connections > to https. The user was clearly confused in a number of ways about > how the keyservers worked, and his specific examples of why it was > important were incorrect. That said, there's clearly at least a > little value in pushing people toward encryption. > > So, I was wondering. Has anyone done this? Are there concerns > about (non-browser) clients using hkp but not supporting re-directs > or hkps, who would then be unable to use our server? I suppose I > could consider leaving port 11371 as is, but force re-directs on > port 80. That would probably satisfy the clueless masses on the > internet, but would it eliminate any risk of breakage? I do not think redirecting on port 11371 is appropriate as using HKPS require supplemental configuration and is not guaranteed to be supported out of the box by all implementations. iirc there have been plenty of issues e.g. for debian users without the gnupg-curl package (i.e using curl-shim rather than a full curl linkage). I do not have control over which other clients are used, in particular in automated environments, where I suspect the number of breakage would be highest and most difficult to deal with. For port 80 you can do what you want (but the server will dispensary from the p80 sub-pool in such a case as it isn't actually serving content on port 80). - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Nosce te ipsum! Know thyself! -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJT9EwEAAoJEPw7F94F4Tagd0MQALWcK36wQQmp2IrMw2RmEmHn fpJqXFHb2VljwqZSWSFCuIS3aag/MptzrWQJs2GMEwSadhipghSH3vzFj7k2EgKv PCjZ4a2IaY/4N6xq8TbdMA25c4cbVu+ZbHrL5/pH3YkycpeyFqEEWMV2S1lojAja A3VF8GLlIT30EjT228CN3f0RKV1OZSrYjZTMsWc/CxRWagpXO+qXf4dQ84XkZwOn n4SCff7nvc/P4FMCEL/xXhss4mbItWrhafec+zLPWmPQIwiLkKvVZ3wZ88My7xgZ xu4WKQeSnFX9HBOY8+GUKxM22CW0laI+woT+1HhhEkDsaK8lg5U81D+3L3vlZZXo gLUcfOiHMn0PwPOrxQet2r5E/mZJ0PdO8+RxLqSn5TlTqw04pe08aOGWvzcUEpDr 9HZvufvm4PuL2XZB3RFAaxCssRRRt2oCrJEIcY00dJWT0xGw/lpRK3VJI8fdTZXZ xLhVCsZZy5DRjpTlA9CsdDASq4MIWP1ONg9PXGaWXzZoWwwxzAhqFahg3eDIPvfI DuPuziU64AAE6k2ljtFJitCxnmHtCdWC1iuKxsoAJgifadGAOZhc8X+qLgujh9wH dnbZjWQq27NhAINR4aaJEodH5OqKsR1KTZutJaLmovONUI70YSbNBy62fez5ax9e RZ5s5BXMflk+9mSABKYK =y3St -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] redirect http to https?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 08/20/2014 09:19 AM, Kristian Fiskerstrand wrote: > On 08/19/2014 11:39 PM, Jonathon Weiss wrote: > ... > > For port 80 you can do what you want (but the server will > dispensary ^^ Seems I've started in the drug dealing industry, this was of course intended to be "disappear". Spell check fail. - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - "I have always wished that my computer would be as easy to use as my telephone. My wish has come true -- I no longer know how to use my telephone" (Bjarne Stroustrup, April 1999) -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJT9FJFAAoJEPw7F94F4TaghJIP/1Yh16XlUeoh4ylnkSMvD0YI EVpzHWWUWwOLO+vQ2AJNKoK0psIsqS9fmlqVK5oNFg4MxpgZumij0PEtICwIV+3f sysgQtevxQHf1BjbebJAsA2SyTZmc5jBseEI7ivsFHyyi+CKx3B3cAiJxAHrYAbT J9vcqcplC3XtMoICRujypOL42vVfH4Id4X+yXpPioK6Zlj70zksUvkqy8Oxbf9mH VGE20dtk/W+TQQa3uTHROc6UFAuHvI/WdS2xnVswbWFlEHXkAmUdoN8JObS70KSc 4btS3dijrnc9G8hNJbw7cAcoN6p6VDnMlBGgG42+ohx8ZNBbf2qlbxlESk7LHQGU U+oaeSp5kIOzdjNPAJoIufvDyt5fITKOPnoljoyy8ivizJEzRyWhvdnhn6rI6jiq w/CVT730tbQVYIuJ6QCZkdNWxCkLkcoH1yo8/Yxz9rujUgPWjpf1Ig6oNfkz7EaV dFv7yBDuIYFTLNAtW0EIHh+pVxagcZ9d9rGeoKplk3ngqR1JfYGAL2Jt5RVaC0I9 gnH6l1PwtNQi2m8vq/POKlHZr/LIDTcGz0+Y/iKQ0svNRLmWqKG3MMc8QjFpCJ3H 8yh64bky0SOR9xibY72+ZuHrhgRfqkYqkLx9UCGQQXfb9Iqdtds7lqs9m2Z1f9on /IKmlZ2ia8/ybp3z3qOV =wjwp -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] IPv6 crawler & DNS zone offline?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 09/22/2014 01:47 AM, Pete Stephenson wrote: > Hi all, > > There appears to be something wrong with the IPv6 pool crawler: > https://sks-keyservers.net/status/ reports that no servers support > IPv6 (although many do). The DNS zone ipv6.pool.sks-keyservers.net > is returning NXDOMAIN. > > Kristian, can you kick the crawler to get it working again? > Thank you for the heads up, kickstarted IPv6 so it should return back on next update. - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Quidquid latine dictum sit, altum videtur. Anything said in Latin sounds profound -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJUIEH8AAoJEPw7F94F4TagzmMP/2OrcJaDVAgayrcMzOUnjr0J 7/oXIg4M4l46ixFfajUcMw+50BhlUqLk5hBu/o1znqkds/ubOviXYx4EfOOBiiQJ Mltl2NvzlGuXnG1L0H/WsI82wQHmVyKM4czyOuD4L8Xmi+NwRPMmmIAw6dNL3Kwm mN4Q3Bl2Qku+2OzjKvrOJhQI9/DY54fprPQkEMe+fzBbKb9eYan9YDPzlKyucHvu 3MU2nRsngoUsOjEY11hesCT/2HHkbYED0USXNmgjKy7Ai6t35SLWJUnUh60ms+tR SMRAmHxFpVRPn8FPI7tfDgAW2aHKVloZaiXHxVRH54TDo/6pJlsngPrOZditegcT Saq16itIaW0Dq8CiiNQNashuYD/Vv1ZaiKK5x4QU8tHYUXK3Du9N9EDlin+tiLXj mMXxO83573DWtg94v1iod+pRwMbnB127OCZmlKHGatTqELFx+j7cpmqvcLitEznx uT0HS9TdgTsGAFolWw+fSh9RVbyOVzc9+MdjveF2V854s0dMfFdNxbpbfJAUai5w TLl+dqSvYYJF8V8OZAJ6eTtnA6Kj/Kg9K444Kghh0GFEGBYQyDsi3F6UsMksypWK d1Z+wqs13KYiv4CqGVDGlQz/DqnN1yda26QDcJRj6SQJKNLGKCN/aEl53uuGWqQe /oZaQHxVo14x9wKxrOIh =5dU3 -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] sks-keyservers.net moved
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I've just moved sks-keyservers.net to a new server on another location, so please let me know if any unexpected issues should arise over the next few days and I'll start the old host again instead. Note that DNS operators do not need to change anything due to this as the prior master has become an intermediary slave. - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Aurum est Potestas Gold is power -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJUjG5GAAoJEPw7F94F4TagDnMP/0Rwn0SdFOb7jPecglpIU4zT ZNdULe4ygtL+oinbXGVaQqD+hsLcTIXBFNwc62A59IdqaFwhRdyT94zPSJVqGYBC oFBg6lw1KranNgV2aJVw5S0dBW5q39QEknsm+vGNMg7n3D77t7arVQ9bflC8GwGh FXrqefWFiTIWyNjPbnFsS1657olPo8T59XES7qYGMy40WmUt1e4SpOkPLdS82JQh 6RC9xcNvIILAU3ujADf7H7UItWbRiz0GkceAVkWgv1sxUGNSmahZw9aSRKbA09bJ 7wrJYpTZhpucyAJpRbVoGJ0/PKB3ASr62wjIm2vdZnluREBfSS7MvUHVSkqJt+kv 4Yf9nKlg+L5ji6kTQzrFKtKWN7p1wpfk9qOBHnk3DMrs+/soJR+b73usL92AxwSZ SGmJj/a5nFN2FYTSruYKn5nwkRp1olh63lMZe4hLB4ZiDKGBMbOjXadyDCyqVrdt 2yEMTtMi6+lmIyKiApa2exCH6XtxDDheleX3PsQg4fgRMjvPtk9nlBfDJNmDqMeY 1oNzOWUl1nCAyPP+pj89s5MPFvRD9HcMgo8CW8lLiwIUBNvZXcIR7mss2bHCYvML 6jXtcDXJNFGBtGSv8MsjKbdvok1Wf8M6RweFfKxwWzz8noHJ78DFVhwP4YOGEWYC B4uVZPOkpYFDwFRIAOI0 =CT/4 -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] sks-keyservers.net moved
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 12/14/2014 08:24 AM, Gabor Kiss wrote: >> I've just moved sks-keyservers.net to a new server on another >> location, so please let me know if any unexpected issues should >> arise over the next few days and I'll start the old host again >> instead. > > The new site seems to have some certificate problem. Iceweasel > (Firefox) says: > > sks-keyservers.net uses an invalid security certificate. The > certificate is not trusted because no issuer chain was provided. > The certificate is only valid for localhost (Error code: > sec_error_unknown_issuer) > > Opera just refuses to connect. Hi Gabor, Hmm, this issue seems to relate to an IPv6 issue. I've removed the records for the domain for now. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Nunc aut numquam Now or never -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJUjV5qAAoJEPw7F94F4TagbDMP/3srFFo0uTF0jQ/7aI4gF2x1 PBKrMuraMwvB9oKopO7BuPDopeKvn2mu4KxQIK4yRT2TuunKIhyCSv4j25TTaY9N o3FVjMPCuvs/bcABs06nIY4NM2nPLuLFix93xWW32MhnZq8tbBhCE9wxMy8UTImH MIy3JAXVtXyLcxWJ46iQqiPjLsbq5ysh2hxri8doRybpw5I1Wp/ixYgfmfNVQ3vO wI8WP/YYPG3dLSSfvbng/Mj9vPUJP14thZKjQTjB80lyxxNopHwBPcgZIOzxcoZw cybVO79ykwU4edCEMpjK0t2wxc4bmixaBKD4oPyzGszE1esTCigkaZ2/AMGwRRQe W6T4TxpOMJqhlp8gdpoFgGeqwQPe46U1AZLEQXefUgCUy9sdqEbtOUAU0ouAQWTN 5A7qD3dvmzeIHrW8dFEdM758OiDWVwikWoFr/KNf7piP6HlBOgCHLYerNMDn55SV on+M9r8ldwtDpk9fhxxjvzH3YvgXFYOhxN1iztArdjixzCNOl8opQBNm+DX7xn1T E7d73dpa3PSktn+SLRZ5x8mNufcHLTpVD/UNU4sp49wdPfDENIf3tf3X9l2+38a+ l1ra6SrFAP5QuPzPSE2XnOuNTNMAKnNaIDouIyEhxVbg6YkC+lctqLHblYpX5k+u qfCPwSvZ5ol2XlQc5F/m =8tA/ -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] sks-keyservers.net moved
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 12/14/2014 10:54 AM, Kristian Fiskerstrand wrote: > On 12/14/2014 08:24 AM, Gabor Kiss wrote: >>> I've just moved sks-keyservers.net to a new server on another >>> location, so please let me know if any unexpected issues >>> should arise over the next few days and I'll start the old host >>> again instead. > >> The new site seems to have some certificate problem. Iceweasel >> (Firefox) says: > >> sks-keyservers.net uses an invalid security certificate. The >> certificate is not trusted because no issuer chain was provided. >> The certificate is only valid for localhost (Error code: >> sec_error_unknown_issuer) > >> Opera just refuses to connect. > > Hi Gabor, > > Hmm, this issue seems to relate to an IPv6 issue. I've removed the > records for the domain for now. > IPv6 should now be restored (but might need some time for DNS to propagate). Let me know if the issue persists :) - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Veni vidi velcro I came, I saw, I got stuck -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJUjx/qAAoJEPw7F94F4TagLIcQAI25AeWF0n8efn32O9Bxwfvt CePDIC4dmFzt5xHxInIgBbKuReGhgArxUfNbl1V/uLi8SpD3ohXl6kES+nOqkhd6 ZChdBqAULf24ZgctQ9DI3YuqelL2Pco1UsrhQhJm4Fibi+4lTazjomqbE11ITQOb luiSBNamiyIZ8+9R0HBzksCi7NJ1K68VlBfZOHo4EW2zUnFSvmGBiqQvJge6s3K8 AWBoBgsxoeFxTYvMlAeOS4zcMkiXaNNERTLi4THocybyPUlXfBqCYffq+FxsyE2C FCMSoK7bcTvRm8OIvduwmV4Z5OiG++px+/YgquoWVZJVKBSQXJcDChRzzeeE5pPL DXVbwVKEz6UAHoV37ECkz0yvc4QpRUjPDmfw3SYyZ/ZrpyGfxmvAXZKZINBCMt1H f2SO+Apsio1frun7AEgjTxErArlDbTt1V1K/urIA4xiLZkU6DWvqGUAUKsuo+pLx QPfcJPyQ0G91BYIgixI1sJwJEudkUNdoLftHsoapjMssQnPDd+1haUzMDiBdBuk/ D4UG1mLx/jlTwXfms7JiunE81VvrAuyCQAwLShBHfR42q8txCqDZRcxMuQM+e5/l veUPb9sSomsbuWXzFlNiOKy+bBv7eezQsIKZXoo9o4bFWFwPcUWGqftTCJyZi5MT 9C2wZRKjk4N406/Lsgn2 =UTE7 -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Keyservers dropping ed22519 subkeys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 01/10/2015 04:20 PM, Jonathan Barnes wrote: > I’ve created an ECC key-pair, then added an ed22519 signing > sub-key. > > Manually exporting this public key gives: > ... > > However, when using the subset pool for sks-keyservers.net, and > even when finding one that definitely runs 1.1.5 and manually > pasting the above in to the appropriate webform, this is what I > then get: That won't help, 1.1.5 supports RFC6637 however EdDSA was added in the development branch after the release ([EdDSA-ID] wasn't released until September 8 while SKS-1.1.5 was announced on May 5th[SKS] ... > > The ed22519 subway has been dropped. Why is this happening? > No it hasn't , it has just been cleaned out in the regular presentation layer, you will retrieve it by using the &clean=off option for older keyservers not supporting the protocol. You should see it on 1.1.5+ servers such as [keys2.kfwebs.net] though References: [SKS] http://lists.gnupg.org/pipermail/gnupg-users/2014-May/049682.html [EdDSA-ID] http://www.ietf.org/id/draft-koch-eddsa-for-openpgp-01.txt [keys2.kfwebs.net] http://keys2.kfwebs.net/pks/lookup?op=vindex&search=0x4E8DDC0EDE5D23A6 - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Nihil lacrima citius arescit Nothing dries more quickly than a tear -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJUsVvKAAoJEPw7F94F4TagY+kP/jA/XLKd3MDeAALuw2uPIsAV SAb4XRpuLZyEujOoJu8S/khLzyz+pPnLgYv4yO7z1VeTYO+VPyy7cHm/bcAzhPrF M7E4iyLMmGebZEWM/u12hdHQJC/RLuvlUaQiTNSqDjycoDJxBWLLZIegPTvoI+5U Xr2rUwapOO76m7KNdNOcymP9Ugg7OaqvcC5ufEY4Tl5lbUiXZGNa2b/y6VnGtb9m Ry+keOHMLt405THPLpTlsAoSV5+QJfPeFBkFWEaFKWnzWwzoXJAMe6M+eEKSV1f5 EW4kblMwz1hvvZyfeZCVqY+pPnSC2wto0QSxMTGEZ8RKPsB17pTSN/K8o4h/OKo7 RtB8B9oZtBeZG+OpfHPzHZa91FHtviq4Lm+I5AFJgrJDP0gKYMMf+YGWepmnknQ5 Dwh8mobvRw2CEAHgVoLfmj1lfpVu93LHXxhuak3ptzrYK7a9lnZuXlBSlh6Wbr20 K84FBlWf5MNHO41c28VsSPKN7nOo/uXqsQ5DZhTNdyny/cryDU5xWq0Iivfdrcj3 DdruaOEF2zSoV5gUIljWslHsJQ2dMHxTf8M6rUKOfzFP55BcEyrDLhJ3zlVdu5j8 7ywXeHx2LEaMUEiiY/buU5p8wmCTXUKeIZZ326ZqqJwlCsc48+w0v0UalVDrECTV 97Kmr3IVk434lJKjyWQK =MWh7 -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Keyservers dropping ed22519 subkeys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 01/11/2015 08:20 AM, Todd Lyons wrote: > On Sat, Jan 10, 2015 at 9:05 AM, Kristian Fiskerstrand > wrote: >>> The ed22519 subway has been dropped. Why is this happening? >> No it hasn't , it has just been cleaned out in the regular >> presentation layer, you will retrieve it by using the &clean=off >> option for older keyservers not supporting the protocol. You >> should see it on 1.1.5+ servers such as [keys2.kfwebs.net] >> though > > Is that a general recommendation of upgrading to master? That > seems like a particularly important distinction of behavior > change. > The EdDSA I-D is not formally adopted and no algorithm ID has subsequently been assigned to it. Ed25519 is as such rather experimental in use and not expected to be interoperable between clients at this point, so it alone does not merit a new release. At the moment there are only two commits after the release of 1.1.5 though, (i) a typo fix in example file, and (ii) The EdDSA additions. So it should be fairly stable. But no, it is not a general recommendation to use master (although we try to keep it fairly stable). - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - "History is a gallery of pictures in which there are few originals and many copies." (Alexis de Tocqueville) -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJUsnFWAAoJEPw7F94F4TagkmYP/jH9Ana7EnvhXitsIzPhY6Ds FeX29K3WTHYOqYlWnwlJa5caqm6KBTDjCDdUyTZDEVYfDiJ+/FxzxesYTjdwFQ3L y7Mq3pRgCCmoaRjlEqBfawrHNHgi5P7mBVJIqJVavR6WdYkbFtFO28dBNSNktT7c gsnkiUSrBglFv87BppdDrsr7hA/KPKWklqp2+fSrBQ6+t2qSDnQW9MtOkczuFVQb IxCV47OHd1lXARC6v4Qe2OnmW4asPVZv9+TIr5AGRgegqbsCcKPkYS9r/W4VGEXI ZjsVSUZLZ/aLZPFhySy83rfSFAtmsJRqJhFB4uWA/XZV91VMUiuzHZZFEh9SC4ih k6raAjiiEwbp6lvAEDx8JDJzffsYL7jwPiU6ISHBizLPYe5nj6QFGUQTiE9M655W nX6FRt0rFzwRfnB27/txs8qzdWMlQ0SbsEzR0ChFgh48Hyab/MYYXIqtV7tJKSB5 aAwzDY+vWxK7a3SATOMwdzSB3IznStubJfjG3yxbZGgQ8uDPCEKd9qTAZHCCUDvA XY2tOGNmalWGDOE2WZ9pEYWyohdSEXiM3MCXUhWAZLNGT0cQbkANidF7Q7Jscaab vm09N/xae2Gz3vtDeJGN37eN+FlJZu9Jhaf6ET+GAqkJa7Q/ksbv7SgaSR1+vFRt d00NhGyg5itxrENW6Ggg =abEh -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] HKP Spec Progress
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 01/11/2015 01:29 AM, Daniel Roesler wrote: > Howdy all, > > I'm unable to find any updates beyond the original draft of the > OpenPGP HTTP Keyserver Protocol (HKP)[1]. Since the sks keyservers > are based on this protocol, are there any plans on making progress > in its adoption. It's been over 11 years, so what can we do to get > hkp finished? > Is there anything requiring a formal spec for HKP for it to be taken into consideration? It is fairly well documented in the behavior of reference keyserver (SKS) and client implementation (GnuPG) - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Aut dosce, aut disce, aut discede Either teach, or study, or leave -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJUsnHSAAoJEPw7F94F4Tag17AP/0dM597dLZLU4Yvw0xaJ8+KV ZnPnNo9hnOQZQlKUN1e+OGmux6RjK1X5IJTCt1O5ULlOi8re8bvcWLyI/hgujb99 tEz+kYFRKUiZK5oNdm+H2xif4rIn9Et1OyVAAI8nUJxQZwxn/Aviet1Zj5/f7a1o yXy65D15coG4OrgGuOen/SMZQW1R3F5ffazFGO4WWknGKQ6HheJLDBPCN29aRQYP uGnJtCd1uJeUDDzG/ca8ZCEWsdLu24jER08of/V9ZeAFoY2u48hdjtMEfSk5oR/2 0UrcmoVRL02weHLXrNHh5U3llZAuHgk1ZLs13gp9bAZGhp2xdujasmSnzigRS1GP CY3W2e1ZSdrFnw+vAJt68zvkAP+8X9I4NJab6MQokps39ws5tgfSwcTA57v87qTn S5bbyTx1W4mfdc5/fTnlgU4bxoj7+DuKCz5kaD1yjPTjbnMVMIWY5DcM2ak/O1wU zvG1hbGG9B3xV47FM915KGTLj4wmu38pN70BxFisvY2G2QsIwj+Uj0U6kjtiKP03 2EtGo+mdxk6sfYGCtlLHsCyr8spv766+NvixMfmDIuMzlQolE7iNVa9ctLI5tIn6 KbMbcrEukpprTSFI3irgLTiBf5nyzYnsjENPJdhdKmvefbjUHlWzcm/Qaabaw+FM ksEWvixQUnEC1/dY9Yoq =gArr -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Error in recon.log
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 02/03/2015 09:40 AM, TELEHOST Office wrote:
> Hello All.
>
> We have just setup a new SKS installation on CentOS 6.
> Unfortunately it did not work properly.
For background, which version of SKS does it ship?
>
> 2015-02-03 03:56:29 error in callback.:
> Failure("No gossip partners available")
Do you have any peers in ${BASEDIR}/membership ?
> 2015-02-03 03:54:38 error in callback.:
> Failure("configuration of remote host ( [xx.yy.zz.aa]:59141>) rejected: filters do not match.\n\tlocal
> filters: [ yminsky.dedup ]\n\tremote filters: [ yminsky.dedup
> yminsky.merge ]") error in callback.:
> Sys_error("Connection reset by peer")
>
> We are realy frustraded that it seems to be impossible to get it
> up without any errors.
Impossible except for some recorded 135 online servers? :p
>
> All standard tips like cleandb, reimport dump already tested.
Which version of BDB is installed and linked to sks? what is the BDB
version of the KDB and Ptree environment? What is the number of keys
loaded on the server? fwiw, this issue is most commonly seen when sks
cleandb is not run, anything interesting in clean.log?
- --
-
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
-
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
-
Uxor formosa et vinum sunt dulcia venena
Beautiful women and wine are sweet venom
-BEGIN PGP SIGNATURE-
iQEcBAEBCgAGBQJU0JgSAAoJEP7VAChXwav6ir8H/3lDiutqTKWoB0AJG6DVZA6e
DW7G4sNffQJkT/YMdyIJRaA3z/7pJ8tqVlss7jFoUGng7AREsqrnFmic6MmjJwSV
NnM36pgWIcAh6OW1dTwwHCoF3uRlOCK0H7b55f8vOZ7esnTJlgtzXkpVykv1FiQe
rAcf6crFajOx2nFPdckSPxcjFwj5OolXuBBmjhGbGjy2SAsg8yaEmCuIlQ1IkLnj
6lkF66qR9XV2wLQupXLJz92Y3a6SK8PrGnSHGQ+gCeq0GLG2qOjRDRzum60NBIt8
p8BXoT16c20YKByUsR/RBCectkazZUfRJckb6j6oOxw7Yo3DSu2nYh5ib0kTpiI=
=QN2s
-END PGP SIGNATURE-
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Error in recon.log
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/03/2015 10:30 AM, TELEHOST Office wrote: > Dear Kristian, > > thank you very much for your fast feedback. No problem, but please do not top-post, it makes following the thread very difficult and is, in general, bad form. > > Here a copy of the CentOS cleandb-log: .. > 2015-02-02 15:50:50 Database already deduped 2015-02-02 15:50:50 > Database already merged This indicates that merging is done > CentOS version: 2015-01-31 20:21:35 Running SKS 1.1.5 > > also on Debian 7 installed via apt. > > The most intresting thing: On a dedicated machine I got it working > - on the vservers (2 G RAM, 20 GB HDD, 8 core) - with OpenVZ - I > get these errors. Are you using an init script? if so what happens if you try running sks as root from the basedir directly? what is the output of `sks version`? Anything interesting in db.log? Try setting debuglevel: 10 in sksconf to increase verbosity. Never tried an install in OpenVZ before, it works quite nicely in virtual machine environments though (I have SKS guest instances installed in Gentoo VMS hypervised by both qemu+kvm as well as HyperV, and now we don't even need a jiffie workaround...) - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - "There is no urge so great as for one man to edit another man's work." (Mark Twain) -BEGIN PGP SIGNATURE- iQEcBAEBCgAGBQJU0JxDAAoJEP7VAChXwav6iAAH/2tYMdMctEZNLSHLlB2zkwO8 +XPMhvbn6hTlPZxJKrDtuEribO0f4BdXsqDSj2WEhNBrOtMSu80iT+IQpGaLRF9R fk7oBREGJuTat6uqNUJjqDxHOyYbfvqCeiSEozuws5c3D/grj3g5ich8D/NpePL1 AmeUezyYsA3CZVIr58DBIdYRPUonU8QgCPpFDzI3UnCyWnhTF5cqfjv/WgXJKEUO 6ZB0oHUU6TClF/MCjmVk4eRjq2tCjGjdfNZXh3v+YrW6Jwjf0W1a541hj0cpPZXq XDJrajEyGOomtG4nj/42xYgqHQr5/PP3s0JGPM1tXBwKYKm4TVilnepw0t6wpnU= =Nzt6 -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Error in recon.log
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 02/03/2015 08:22 PM, TELEHOST Office wrote:
> Am 2015-02-03 11:00, schrieb Kristian Fiskerstrand: On 02/03/2015
> 10:30 AM, TELEHOST Office wrote:
>>>> Dear Kristian,
>>>>
..
>
>> [root@keyserver ~]# tail -f /var/sks/recon.log 2015-02-03
>> 14:23:03 error in callback.: Failure("No gossip
>> partners available")
No valid peer in membership file, as pointed out by someone in earlier
post, you will need to have peers that also accept your server (i.e.
including your server in the membership file)
>
>> [root@keyserver ~]# tail -f /var/sks/db.log 2015-02-03 14:31:56
>> error in callback.: Failure("No partners
>> specified")
this is fine, this was used for PKS sync, stop it using
"disable_mailsync:" in sksconf
>> -other server:-
>
>> on debian 7: root@gpg:~# sks version Unknown command version
ok, this indicate an older sks version than 1.1.4, and will likely
have issues in a VM environment unless taking special care of jiffie
timing issues.
>
>> debian 7: root@gpg:~# tail -f /var/log/sks/recon.log 2015-02-03
>> 14:19:00 error in callback.:
>> Sys_error("Connection reset by peer")
Likely you're not authorized to peer with that host, or it is already
gossiping with someone else. Are you included in the peer's membership
file?
>
>> root@gpg:~# tail -f /var/log/sks/recon.log 2015-02-03 14:39:14
>> Marshalling: LogQuery: (5000,0.00) 2015-02-03 14:39:18
>> Unmarshalling: LogResp: 0 events 2015-02-03 14:39:18 Fetching
>> filters 2015-02-03 14:39:18 Marshalling: Config(s,none)
>> 2015-02-03 14:39:18 Unmarshalling: Filters(yminsky.dedup)
>> 2015-02-03 14:39:18 Starting event loop 2015-02-03 14:39:18
>> Marshalling: LogQuery: (5000,0.00) 2015-02-03 14:39:18
>> Unmarshalling: LogResp: 0 events 2015-02-03 14:40:13
>> Unmarshalling: LogResp: 0 events 2015-02-03 14:40:17 Membership:
>> (xxx.yyy.com 11370)[], (xxx.yyy.lu 11370)[], ... 2015-02-03
>> 14:40:17 address for keyserver.xxx.yyy:11370 changed from [] to
>> [, ]
>> 2015-02-03 14:40:17 Recon partner:
>> 2015-02-03 14:40:20 error in callback.: Unix
>> error: No route to host - connect()
Is IPv6 working on your host? if not you should disable it completely
- --
-
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
-
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
-
Ubi mel ibi apes
Where there's honey, there are bees
-BEGIN PGP SIGNATURE-
iQEcBAEBCgAGBQJU0SgrAAoJEP7VAChXwav6ehcIAIhZRjbVRDQ+3/g/xyyT1/nH
eATis4QbSzhp80eLqADkjVe9EnDOyMtNJRZbJdy0WLKPmH/3+orHiOd+iJtWr2Qv
l1e3i7Eymzh//PpbWC70RWBiBt4slJzPAZlDCKmUAXyERodofIj5L2QnZuPm5rD9
ExQSkwPBXPqmsBpkFbxd5QIJJNwuWzwUdx/3IE9vCBZVRBnYPJpk/OeJDe2D7ZJd
nUkfEo3O/XY+TgIKnPAO0/ntb0c6IhklO8K3rD7Y0ivK+fW3/WdWEbUS/bJvyaSO
MDouD2BhF1si8aPty5SkzkSo9iKlmnD1IikFgXL8ph3EdFXVmZaAXKbNGgeRWMc=
=SBzT
-END PGP SIGNATURE-
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Error in recon.log
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 02/03/2015 09:05 PM, Pete Stephenson wrote:
> On Tue, Feb 3, 2015 at 8:57 PM, Kristian Fiskerstrand
> wrote:
>> On 02/03/2015 08:22 PM, TELEHOST Office wrote:
>>>> [root@keyserver ~]# tail -f /var/sks/recon.log 2015-02-03
>>>> 14:23:03 error in callback.: Failure("No
>>>> gossip partners available")
>>
>> No valid peer in membership file, as pointed out by someone in
>> earlier post, you will need to have peers that also accept your
>> server (i.e. including your server in the membership file)
>
> This is further evidenced by the fact that there's no SKS server
> with a telehost.ch name showing up in the SKS Keyserver Status
> page. If the server was peered with another public server, it'd
> appear there.
yes and no... Although you're likely correct; it could be a case of an
erroneous hostname specified in sksconf making it disqualify.
- --
-
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
-
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
-
Qui audet vincit
Who dares wins
-BEGIN PGP SIGNATURE-
iQEcBAEBCgAGBQJU0Sr1AAoJEP7VAChXwav6pAoH/iOkzuKQtpVCk7HYlhANgsCl
/T7mUjN/IzBFfeSzMD1qbhlfxbKJR+jYRngAVkyxk9YUuAXQiop1L8uOwW5D3UBq
V3chWeUeKnmoh7V/6ZgUF/L3iVtO0fwLLGvEOB+4h8ByDsMJ5M1ZVP+1UnXD13sa
uQ2+wcV969OYzTMVtEm2oGeE8+pBmDaelm1k/GBpqhz5xd7l8eAgeKe5lqjfJKkF
2OtZYyGxYvKpJBnEaqlLuKZFWimUowPN7bnpoMYyLhD3hags1lBBCP3zDIfqBep5
wEtH15yuqPt5TtVVY2IUo/kmlhW+yGhTzs5TmHREjalmYdTxegiZdgcTd5oDhgY=
=dlox
-END PGP SIGNATURE-
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Error in recon.log
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/03/2015 08:46 PM, TELEHOST Office wrote: > Am 2015-02-03 11:00, schrieb Kristian Fiskerstrand: On 02/03/2015 > 10:30 AM, TELEHOST Office wrote: >>>> Dear Kristian, >>>> >>>> thank you very much for your fast feedback. > > No problem, but please do not top-post, it makes following the > thread very difficult and is, in general, bad form. > >>>> >>>> Here a copy of the CentOS cleandb-log: > > .. >> 2015-02-03 15:05:59 Unable to get mtime for membership file. >> Can't decide whether to reload Are you sure you have the membership file in the correct location? Also, what is the explicit content of the file and can you connect to the peer on tcp ports 11370,11371 and potentially another port provided for HKP (see /pks/lookup?op=stats). Is this server accessible somewhere? I tried connecting to http://194.0.229.61:11371/pks/lookup?op=stats and ditto for 194.0.229.60 without getting a connection at least so you would be unable to peer with outside servers. Can you telnet between the servers on port 11370 (or whatever other port is specified in the membership file, and the HKP transport (as well as 11371 for default HKP)? > >> As you see - both servers now are in the same subnet, connected >> directly via switch. > >> Did not understand what happens here ... > >> Thomas > > > > - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - "Whenever you find yourself on the side of the majority, it is time to pause and reflect." (Mark Twain) -BEGIN PGP SIGNATURE- iQEcBAEBCgAGBQJU0S1oAAoJEP7VAChXwav6q/cH/RSI89Ktrz4hu6Cp/ZnzOP97 Vbv77lLxel/iEIo7UpmtWjrC27RsbSFm7uGOSb3rseqggtKs6T4W5KybN1kN37q2 svorgLd4GZ87cQnVXmwytgC7fIujSJ6sDP95yjmYLnTS9UJjKsvAnpKeSqXbrkBL z42CIL6LkNW8zXpIsBXygXBlVbxjAlNnJFRXuoEo3opM6T8INFTAsohRsYx3IHwG P9eYNOJ2wkvZoV74hPGJldj9uUSKV9tI2zL/ovrRMpgWTPYfAGCe8LTKgq2JCX7s 2XiWro7/V/nIGdogIM7krMIwI9yXw0dfan5WW7+kSxsKNOYaSp7Ix64E5nFouyc= =oGn+ -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Error in recon.log
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/03/2015 09:39 PM, TELEHOST Office wrote: > Am 2015-02-03 21:19, schrieb Kristian Fiskerstrand: On 02/03/2015 > 08:46 PM, TELEHOST Office wrote: >>>> Am 2015-02-03 11:00, schrieb Kristian Fiskerstrand: On >>>> 02/03/2015 10:30 AM, TELEHOST Office wrote: >>>>>>> Dear Kristian, >>>>>>> > >> Both distris have the membership located in /etc/sks/membership. > Unless centos is doing something with the package that is likely wrong, it should be in the SKS basedir. >> [root@keyserver sks]# ls -al total 24 drwxr-xr-x 2 sks sks >> 4096 Feb 3 15:04 . drwxr-xr-x 66 root root 4096 Feb 2 16:16 .. >> -rw-r--r-- 1 sks sks 2333 Jan 30 08:25 mailsync -rw-r--r-- 1 >> sks sks36 Feb 3 15:04 membership -rw-r--r-- 1 root root >> 1319 Feb 3 15:03 membership_original -rw-r--r-- 1 sks sks >> 2591 Feb 2 15:44 sksconf > > > Is this server accessible somewhere? I tried connecting to > http://194.0.229.61:11371/pks/lookup?op=stats and ditto for > 194.0.229.60 without getting a connection at least so you would be > unable to peer with outside servers. > >> 194.0.229.61 was not open to public (CentOS). Public avaiable is >> 194.0.229.60. telnet 194.0.229.60 11371 Trying 194.0.229.60... ... timeout > >> I granted access for testing to 194.0.229.61 now, too. > >> So on both engines port 80, 11370 and 11371 are open to public. telnet 194.0.229.61 11371 Trying 194.0.229.61... timeout > >> Want to have SSH? There's nothing else than SKS on both engines. not really, should be able to figure this out without it. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Aut dosce, aut disce, aut discede Either teach, or study, or leave -BEGIN PGP SIGNATURE- iQEcBAEBCgAGBQJU0TjtAAoJEP7VAChXwav6zuoH/RxHarKRSi89adgUqv4Vf4mZ i5jYbwtkJJex7DVWRN03ZDwFB4sOJoQoo3Ur9BRH1OX8n1G6GBmcJ/hz5UdJhNW3 RHBhrpIAfb4FQ08KoOSmxgn1nWOZd05wWFvSMUfoSL5SRpVOr+gvG66qi+fSBW22 K/sM56nEWFiETvrxsJt8Bw+lnGVkiIP7prFCgWUUltk2tgODiX9t+rxgrbOyx3Cn PXeA1s5F/Wj014/AimL3jR/xKfVFzB0fBFADHZT/awauZB/96ZpJ7PXnMZuG41Md /+h1Ar18l3emZTecvHlHdXIejXuK/Fp78red+YLiz80atNsiM8eYustDKA/pweI= =Fne3 -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Error in recon.log
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 02/03/2015 10:31 PM, TELEHOST Office wrote:
> Am 2015-02-03 22:09, schrieb Kristian Fiskerstrand: On 02/03/2015
> 09:39 PM, TELEHOST Office wrote:
>>>> Am 2015-02-03 21:19, schrieb Kristian Fiskerstrand: On
>>>> 02/03/2015 08:46 PM, TELEHOST Office wrote:
>>>>>>> Am 2015-02-03 11:00, schrieb Kristian Fiskerstrand: On
>>>>>>> 02/03/2015 10:30 AM, TELEHOST Office wrote:
>>>>>>>>>> Dear Kristian,
>
>> Moved to /var/sks on CentOS and now I get:
>
>> 2015-02-03 16:33:17 error in callback.:
>> Failure("configuration of remote host (> [194.0.229.60]:35325>) rejected: filters do not match.\n\tlocal
>> filters: [ yminsky.dedup yminsky.merge ]\n\tremote filters: [
>> yminsky.dedup ]") 2015-02-03 16:34:16 error in
>> callback.:
>> 2015-02-03 16:45:35 error in callback.:
>> Failure("configuration of remote host (> [194.0.229.60]:56597>) rejected: filters do not match.\n\tlocal
>> filters: [ yminsky.dedup yminsky.merge ]\n\tremote filters: [
>> yminsky.dedup ]") 2015-02-03 16:47:23 callback
>> timed out. 2015-02-03 16:49:05 callback timed
>> out. 2015-02-03 16:50:52 callback timed out.
>
Try running sks cleandb from within the basedir
- --
-
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
-
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
-
Veni vidi velcro
I came, I saw, I got stuck
-BEGIN PGP SIGNATURE-
iQEcBAEBCgAGBQJU0U+OAAoJEP7VAChXwav6j64H/ivX6ddDsSqcEimiek+xGE2m
8C7AQt/SyfD7lwiFb6Wgycrxn6TRlgv+3EYVWXQGm6cfVmrFgWPf9nAwzeEXhDt+
qu+hLyfkOG/XBm3/Z//oLCHXn30I18+UHmIpkC+3eQofrgkrlkdG3Fg5hoE4hUsh
jCGG3noSym7khLeA9ssIz0hqLumCLAqGfw+iYeLSiUAEecZsTjP9Z5GivCtJFVOf
K7qxR2Z0QjeWoLku0qK6Hf4uVgcqBIOVZdkoavTjZLjyWaLuV/MyErDIHG+jyCdI
Ly0NMOfxkSwSNOLu9QlpXqjewR9GhfTLNuX/prGbgjAqPrWGzqVdgr0BtxFlgDo=
=fhjF
-END PGP SIGNATURE-
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] sks-keyservers.net: Changing min version requirement to 1.1.5 on 15 March 2015
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 SKS 1.1.4 was released on 7 Oct 2012[0] and SKS 1.1.5 on 5 May 2014, adding new features, fixing numerious bugs and one security vulnerability (CVE-2014-3207). Given the amount of time that has passed since these released I'm going to increase the minimum version requirement of the sks-keyservers.net pool to 1.1.5 around 15th of March 2015. Of the online servers today 95 are already updated to 1.1.5 (including development version after adding support for EdDSA / curve25519): 1 GnuKS:0.9.2 5 SKS:1.1.1 1 SKS:1.1.2 15 SKS:1.1.3 16 SKS:1.1.4 2 SKS:1.1.4+ 89 SKS:1.1.5 6 SKS:1.1.5+ References: [0] http://lists.nongnu.org/archive/html/sks-devel/2012-10/msg00010.html [1] http://lists.gnupg.org/pipermail/gnupg-users/2014-May/049682.html - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Docendo discimus We learn by teaching -BEGIN PGP SIGNATURE- iQEcBAEBCgAGBQJU22YGAAoJEP7VAChXwav6R8UH/07TvwLBF4tRduIyg4CAaZrY MILmvUmcXiTjsUgrTHPKD7T8rUSUHfZ8+tRtuN3pFIFGVI4s7U2SqKQQddmeRE2b BY4C9wQvKifM7w9F0nJebAghl8E2BWnKRJgLy+tyAyY5/iLG6Vs7MBRHt6uRPw4b dz7VGrcUS8o3b+hERSS/Vikc1vgnK3Wyy4kNBXRn4p0AP0bhk3eirFUB59hEnVqX eCVRUAhDv41yT//JR96hnkcuaU7pliWbMOtnQGZJVzq9lEkYoVVxZFKN5fhThJpO 6UwN2cLNiP5jyFHz0O6EKBJsMe9fV1DiHmkIjAb7+X2NBMgueZ106U1eiwyPpQg= =MiQa -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] recon stops: "2015-02-11 07:09:48 Raising Sys.Break -- PTree may be corrupted: Failure("remove_from_node: attempt to delete non-existant element from prefix tree")"
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/11/2015 04:32 PM, David Benfell wrote: > Hi all, > .. > > And tried restarting everything. No joy. Is there any remedy short > of rebuilding the whole database? > the easiest is likely just rebuilding the PTree, that should be quick enough (you don't need to touch KDB for that) - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - "If you don't drive your business, you will be driven out of business" (B. C. Forbes) -BEGIN PGP SIGNATURE- iQEcBAEBCgAGBQJU23kAAAoJEP7VAChXwav6OCoH/0czWE5s2OdaZJpu2releGKE tom0uJAg9OAqSDWse3V5oayAOHd9jdkd8o9Fi0Mj2IAVmH2aLPCaWlshK2fYrsy7 4jJ1OCTF9N8K1X8mLtUAlS+oEbf88a42nNRpi87yeWZFziaZA5xSi/xT4ZJHLyvb S/ZdWosplj+WloXmrhx1WdtotMZfhyppAQhqPuAxy2wzfiyPLCeJDGksERHRRSLr ypOzW95B88p3Btx4oCzA8UCJvqhnVhlyO2bma5JQVN3suUk/A8HnOVUMP0ijBC7d yHe+o9R9oQLU/TLUz1fXevdxpOO5fyjNkQPH61apc5QWca3Tjm+tF2q73ttz41Q= =SvFQ -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] sks-keyservers.net: Changing min version requirement to 1.1.5 on 15 March 2015
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/11/2015 04:54 PM, Brian Minton wrote: > On Wed, Feb 11, 2015 at 9:24 AM, Kristian Fiskerstrand > wrote: > >> 1 GnuKS:0.9.2 5 SKS:1.1.1 1 SKS:1.1.2 15 SKS:1.1.3 16 SKS:1.1.4 2 >> SKS:1.1.4+ 89 SKS:1.1.5 6 SKS:1.1.5+ > > Are there any plans to add hockeypuck servers to the pool? they are / have been detected in the past, but no it won't qualify for the main pool at this stage due to the unstable nature of the software at this point, see e.g. [0] References: [0] https://bugs.launchpad.net/hockeypuck/+bug/1313096 - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Corruptissima re publica plurimæ leges The greater the degeneration of the republic, the more of its laws -BEGIN PGP SIGNATURE- iQEcBAEBCgAGBQJU236fAAoJEP7VAChXwav6q+4H/j6JwbdR3gzWwWcCVnhowRgi GVrczI5kpYkcBFQRYxkHMbVggfppl8tnM948/hoMI9yQ5lZ0GNqc22o+ICQB0rDp g76M4HILhmh79B3GNC6fbxD8DPydWSxmxTpyBLhpCcuLYlpDyK2ZH6Zc0hv5Xayb 0OTnFH/ghveWBsHln5yR+jvV+r3hk26ZLtbNVpFBzg6zRUdegsRAvRR5LkvlWRQd qYceWLArH+V3daV2kwFUFhmISy8adJ0IArh2WKIQQe02XpHuBrdDVILn4/jVoc02 RHwAcqVpLI2yHUOQTmrAEZqsylg1YLzp9fJt+pGkBBUCGKOAgIHwfNBnsV4S6JE= =S+lp -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] recon stops: "2015-02-11 07:09:48 Raising Sys.Break -- PTree may be corrupted: Failure("remove_from_node: attempt to delete non-existant element from prefix tree")"
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/12/2015 04:41 AM, David Benfell wrote: > On Wed, Feb 11, 2015 at 04:45:12PM +0100, Kristian Fiskerstrand > wrote: >> On 02/11/2015 04:32 PM, David Benfell wrote: >> >> the easiest is likely just rebuilding the PTree, that should be >> quick enough (you don't need to touch KDB for that) >> > This would have been good. How do I just rebuild the PTree? > Just delete the PTree dir and run sks pbuild - -- - ---- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Veni, vidi, vacatum I came , I saw, I left -BEGIN PGP SIGNATURE- iQEcBAEBCgAGBQJU3dwhAAoJEP7VAChXwav6fTkH/01zbPw3LLIXwU/d0K98cu96 x/BRQGDoRDKCvbpt7iA0TqBxrveFd57wDlWjUyrSbjohZth1RQvjm3S3ZlhhOMmg 41vdrJETE9Uu8K4GmWE15lrlj1FvGSGxv2WUP4IhfEA0Wg9NfSYeaeUMSlaouXfD rLlv5LhSBj2Yt0Ub65Sl/RWawXE1LOweak6A1TMl48vWZUJjaBKc3xemNuWNOnju vuGN9sIBsar1nzEAmUXeSIaMt+5MtvteOuourF9p35zmA/Ky7qKr2TMU7BF99fID dAeBB0+REb04zAz8hMjJONa1HXbZOR9RAl+GHnvGDOeHevRcbz43wQ9i5BCaT3E= =gWv1 -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] recon stops: "2015-02-11 07:09:48 Raising Sys.Break -- PTree may be corrupted: Failure("remove_from_node: attempt to delete non-existant element from prefix tree")"
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 02/13/2015 05:42 PM, Daniel Kahn Gillmor wrote:
> On Fri 2015-02-13 06:14:44 -0500, Kristian Fiskerstrand wrote:
>> On 02/12/2015 04:41 AM, David Benfell wrote:
>>
>>> This would have been good. How do I just rebuild the PTree?
>>
>> Just delete the PTree dir and run sks pbuild
>
> Again, do "sks pbuild" as the user who runs the service :)
>
> sorry for harping on this point, but i've helped too many people
> who ended up with root-owned files because they weren't thinking
> about the ownership issues during some phase of the process, so i
> want to make sure we keep that recommendation explicit.
>
The startup-scripts provided by whichever sane distribution should fix
this anyways to be a non-issue. From the Gentoo /etc/init.d/sks-db:
start_pre()
{
checkpath --owner sks:sks --directory \
${SKS_DIR} ${SKS_DIR}/KDB ${SKS_DIR}/PTree
checkpath --owner sks:sks --file \
${SKS_DIR}/*.log ${SKS_DIR}/KDB/* ${SKS_DIR}/PTree/*
}
- --
-
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
-
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
-
"There is no urge so great as for one man to edit another man's work."
(Mark Twain)
-BEGIN PGP SIGNATURE-
iQEcBAEBCgAGBQJU3jQ1AAoJEP7VAChXwav6t/YIAK7wuJRUDL7G9jH3lCABUxxV
/Z9Ix8vM+oZY6SI/gUSvuOfSrP6bjCha8DPFikVHlGbvzZTY8VpF+ImRG9csRMjq
8DuKuBLB08NZvm58559c0ZM6CoNI4l3cu0bM7l9gWr0kx5ADCsgHDvC5hNUylH4z
OiCwOd9A0js+TmboUNiARfyT0nEk+F8Ibd+5GP6ZOkfIToxstTDG5poCm59xljcY
7CdVibbjTjfmG1o2eFdSECJyHYYPRMn+AeYIEcCTIWqt3DT1Hu1Pa5ULPadnrj6N
6Lrj0vUnC/xIgGgH12LBf03t+WwkpqgrYAJVbQBb3Z+Ue2mqQoyf7Vf8t+3l5NM=
=fjfl
-END PGP SIGNATURE-
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel
