Re: [Sks-devel] nokeyserver annotation

Vincent Breitmoser writes: >> - to do this keyservers will have to actually do cryptography > > Are you sure? I don't think there's any attack scenario here: If any > such signature exists, you can't upload the key. You can strip that signature. If you only consider

Re: [Sks-devel] Unreachable status (still) for pgp.key-server.io

Danny Horne writes: > # dig +norecurse +noall +stats @66.33.206.206 pgp.key-server.io > ;; Query time: 136 msec > ;; SERVER: 66.33.206.206#53(66.33.206.206) > ;; WHEN: Fri Nov 18 17:51:19 UTC 2016 > ;; MSG SIZE rcvd: 62 > > # dig +norecurse +noall +stats +tcp +time=20

Re: [Sks-devel] IPv6 out of action?

Hi! Kristian Fiskerstrand writes: > On 10/28/2016 02:22 PM, dirk astrath wrote: >> Hello, >> Seems IPv6 connectivity is borked on https://sks-keyservers.net/status/ , no live keyservers are listed as having IPv6 available >>> Yes, I'm

Re: [Sks-devel] Depeering Notice

Hi! Gabor Kiss writes: > Or don't you want to peer with servers having too few keys? Having too few keys leads to practical problems .. it directly leads to excessive resource usage during recon. Having a large delta and not catching up is a very good reason to de-peer.

Re: [Sks-devel] Need help with clustered setup

Hi! Danny Horne writes: > I don't understand why you're seeing this error, can see it in my logs > but test emails to my address (from GMail) are getting through IPv4 vs IPv6 | $ swaks -6 --to da...@lockmail.net --from christoph.eg...@fau.de -q TO | === Trying

Re: [Sks-devel] peer request for pgp.uplinklabs.net

Gunnar Wolf writes: > Andrew Gallagher dijo [Wed, Aug 31, 2016 at 10:14:01AM +0100]: >> I'm sceptical of the utility of ECC keys personally. They were first >> proposed as a way of reducing work and storage space (because the >> space of usable ECC keys is more compact than the

Re: [Sks-devel] Sync issues with sks 1.1.6

Steven Noonan <ste...@uplinklabs.net> writes: > On 31/08/16 07:07, Christoph Egger wrote: >> Steven Noonan <ste...@uplinklabs.net> writes: >>> Attempted doing a dump and rebuild of my database from that, but it didn't >>> help >>> with this pro

Re: [Sks-devel] seeking peers for sks.ustclug.org

SJ Zhu writes: > 2016-08-27 13:54:52 Reconciliation attempt from unauthorized host [172.17.0.1]:39492>. Ignoring Note that this is a private address from RFC 1918 space. So either something is Nat'ing your incoming connections or this connection attempt comes from within

Re: [Sks-devel] Great increase in new keys and updated keys on August, 2016, 13 and 16

Pascal Levasseur writes: > Any explanation available for this unusual behavior ? Quoting #debian-devel > evil32 keys got revoked https://news.ycombinator.com/item?id=12298230 Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp

Re: [Sks-devel] [Announcement] SKS 1.1.6 Released

Gabor Kiss writes: >> > Out of curiosity, is there any Debian-type repository one can use to >> > install updates automatically? >> > >> https://packages.debian.org/jessie/sks ??? > > Jessie is the _stable_ version. Its sks package won't be upgraded > unless a major

Re: [Sks-devel] 32-bit (short ID) collisions: New milestone(?) reached

Hi! Gunnar Wolf writes: > There are several tools relying on this (now very) weak 32-bit scheme; > the first such tool we found was precisely the «PGP pathfinder & key > statistics» service, which fails badly: Even specifying the full > fingerprints, I do get three (absolutely

Re: [Sks-devel] Pools & HSTS header

William Hay writes: > On Thu, May 26, 2016 at 12:47:57AM +0200, Valentin Sundermann wrote: >> Hi, >> >> I enforce HTTPS on all my domains by sending the HSTS header to my >> visitors. HSTS forces the browser to use in future only secure >> connections to this domain. More info

Re: [Sks-devel] Oh, Jeeez...!

Tobias Frei writes: > About lacking keys, well, if the pool selection mechanism causes > working keyservers to be removed, that's a separate problem that needs > to be solved after this one, I think. It should not be an argument for > or against this suggestion, but

Re: [Sks-devel] keys.gnupg.net anomaly

Christoph Egger <christ...@christoph-egger.org> writes: > AFAIR keys.gnupg.net has been discussed here and keyserver oeprators are > expected to make this work -- at least for hkps. sorry that was meant to read hkp / port 11371 -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A

Re: [Sks-devel] keys.gnupg.net anomaly

Christoph Egger <christ...@christoph-egger.org> writes: > of course -- if people use keys.gnupg.net with https, this advice should > probably be fixed and/or the cname be moved to the "right" pool Note that https://pool-sks-keyservers.net/ is also expected to not work --

Re: [Sks-devel] keys.gnupg.net anomaly

Hi! "Kiss Gabor (Bitman)" writes: > I found requests for https://keys.gnupg.net/ in my Apache logs > on keys.niif.hu. Of course they were unsuccessful because > my HTTP daemon is not set up to provide this virtual site. > > In the DNS we can see this: > keys.gnupg.net

Re: [Sks-devel] Verification of keys on upload and removal options

Hi! Malte writes: > On Friday, March 25, 2016 1:33:16 PM CEST Andrew Gallagher wrote: >> Before we even *think* about a protocol, there are policy hurdles to be >> overcome, e.g.: >> >> 1. What criteria should be met before a key is removed? > > Owner of private key or owner of

Re: [Sks-devel] Verification of keys on upload and removal options

Hi! Douglas writes: > It doesn't benefit anyone to retain keys uploaded with malicious > intent, so I believe it's worth discussing a mechanism for key removal > due to abuse of the system. Sure. I suggest you start by reading the Minsky paper on how the keyservers

Re: [Sks-devel] Tor hidden service /onionbalance for hkp

Hi! Kristian Fiskerstrand writes: > as mentioned in [0] an experimental tor hidden service based on > onionbalance is running on hkp://jirk5u4osbsr34t5.onion . A Tor column > is added to the status pages, and participation requires manual >

Re: [Sks-devel] sks for MirageOS?

Hi! Stephan Beyer writes: > Does anyone of you have experience with MirageOS and knows what > it takes to make a MirageOS unikernel from an "ordinary" OCaml program > like sks? You just have to rewrite any I/O code to the MirageOS library. So mostly network and backend storage

Re: [Sks-devel] sks hiddden service

Kiss Gabor (Bitman) ki...@ssg.ki.iif.hu writes: Eeerrr... what is the risk of using a public service in TOR user's point of view? (Compared to using a hidden service.) His identity is hidden anyway. End-To-End encryption and no CAs. signature.asc Description: PGP signature

Re: [Sks-devel] seeking peers for keys.enteig.net

Hi! Running it on a Raspberry Pi shouldn't be a problem as SKS is pretty low on resources (except for the building process). Well sks needs rather decent storage (or maybe lots of RAM as caches?) to performe remotely useable in my experience. In terms of normal RAM and CPU usage it's

[Sks-devel] Change of IP Address for keyserver.siccegge.de / keyserver.christoph-egger.org

Hi! The IP addresses configured for my keyserver[0] are about to change. It will then also feature a static IPv4 address again. Addresses are: 92.43.111.21 2a01:4a0:59:3151::f002 Regards Christoph [0] keyserver.siccegge.de / keyserver.christoph-egger.org Just different names for

Re: [Sks-devel] New keyserver (gpg.n1zyy.com) - peers requested

Hi! Matt Wagner m...@ttwagner.com writes: IPv6[1]. Looks good from here FWIW Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org

[Sks-devel] Broken keyservers (413 Request Entity Too Large)

Hi! Seems uploading my gpg key (d49ae731) to pool.sks-keyservers.net fails for several of the hosts in rotation: gpg: sending key D49AE731 to hkp server 213.206.252.51 gpgkeys: HTTP post error 22: The requested URL returned error: 413 Request Entity Too Large gpg: keyserver internal error gpg:

Re: [Sks-devel] Broken keyservers (413 Request Entity Too Large)

Arnold sk...@mallos.nl writes: People with a very large key can put their full key at a special place of their own (they are likely to be above average active internet users). They can still upload their key with exp. time and all textual UIDs. However, they should remove most of the

Re: [Sks-devel] quality of keyservers offering hkps

Kiss Gabor (Bitman) ki...@ssg.ki.iif.hu writes: - mitm attacks may manipulate up-/downloaded keys no Every uploaded key can be manipulated legally by anyone. (I.e. you attach a new signature to your friend's key and you send back to the key servers.) Moreover anybody can send a totally

Re: [Sks-devel] Moving SKS to a different host

Pete Stephenson p...@heypete.com writes: On 8/3/2014 3:03 PM, Tyler Schwend wrote: Building the sks database from a dump takes a very long time, a lot of disk space, and a lot of CPU. Is there a way to just move the whole BDB from one host to another? I am switching hosts. I'm not sure if

Re: [Sks-devel] Keydump

Ahoi! Henning Kopp henning.k...@uni-ulm.de writes: Is it possible to get a keydump of all gpg-keys? Are there any usage restrictions? What would the size of the data be? Take a look at https://bitbucket.org/skskeyserver/sks-keyserver/wiki/KeydumpSources I doubt any of the operators will mind

Re: [Sks-devel] Question about apache2 configuration

Filip Stefaniak stefan...@gmail.com writes: W dniu 2013-11-12 14:12, Todd Lyons pisze: On Tue, Nov 12, 2013 at 09:42:13AM +0100, Filip Stefaniak wrote: I've tried to configure sks server with apache2 as described at https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering But I had a

[Sks-devel] keyserver.siccegge.de IP change

Hi all! Unfortunately keyserver.siccegge.de lost it's static IPv4 configuration. DNS has been set up to follow the actually used IP addresses (hopefully visible soon on a Nameserver near you). I will soon add a (static) IPv6 address again (allocated from 2001:a60:f01c::/48). If you are peering

Re: [Sks-devel] Upgrading to 1.1.3 Through Debian Backports

Moin! John Clizbe jpcli...@gingerbear.net writes: Patrick R McDonald wrote: I would like to upgrade my sks on Debian Squeeze from 1.1.1 to 1.1.3 using Debian backports. Is there anything of which I need to be aware when making this upgrade? if your 1.1.3 is linked with the same version of

Re: [Sks-devel] status pages on sks-keyservers.net

Michael Nausch mich...@nausch.org writes: - RProx??? whats that? reverseproxy? Jep - Port 80 it's colord false with red, 'cause you can reach my server http://keyserver.nausch.org as you can reach it as http://keyserver.nausch.org:11371

[Sks-devel] keyserver.siccegge.de getting dynamic IP soon

Hi all! Due to changes at the location the keyserver is hostet, I'll have to use dynamic IP addresses for now (IPv4 only, the v6 address stays static). I might be able to give it static addresses again in the future but for now I'll have to dael with changing addresses. Regards Christoph

Re: [Sks-devel] Wrong key fetched?

John Clizbe jpcli...@gingerbear.net writes: Christoph Egger wrote: Something weird happening when fetching 0xE33EC63DF983 -- it gets 0x9CDF568F which doesn't even have a subkey called 0xE33EC63DF983 as far as I can see. Anyone knows what's going on? Regards Christoph

[Sks-devel] warning about keyserver problems

Hi! as your script is already tracking the status of keyservers on the web, maybe it would be possible to send the administrator a mail every time the keyserver drops out of the pool due to problems? Seems keyservers have the tendency to actually fail after running for some time and need

Re: [Sks-devel] warning about keyserver problems

Hi! Christoph Egger christ...@christoph-egger.org writes: as your script is already tracking the status of keyservers on the web, maybe it would be possible to send the administrator a mail every time the keyserver drops out of the pool due to problems? Seems keyservers have the tendency

[Sks-devel] Changed IPv6 Adress for keyserver.siccegge.de

Hi! The IPv6 Address for keyserver.siccegge.de has changed (it's now 2001:a60:f01c:0:42::1). IPv4 addresses are still the same. Regards Christoph pgpxTWd2Djxam.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org

Re: [Sks-devel] keyserver.siccegge.de downtime

Hi all! Christoph Egger christ...@christoph-egger.org writes: Due to random hangs I've stopped sks on keyserver.siccegge.de for now which seems to improve things a bit (I'd bet on network stack). Will be back after debugging stuff a bit / replacing hardware. It's currently back online

[Sks-devel] keyserver.siccegge.de downtime

Hi! Due to random hangs I've stopped sks on keyserver.siccegge.de for now which seems to improve things a bit (I'd bet on network stack). Will be back after debugging stuff a bit / replacing hardware. Regards Christop -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian

[Sks-devel] Why is keyserver.siccegge.de not in Port80 pool?

Hi! I noticed keyserver.siccegge.de is not in the port80 pool. However I can get the status page over port80 and gpg --keyserver hkp://keyserver.siccegge.de:80/ --recv-keys $KEYID both works on IPv4 only hosts and IPv6 enabled systems. Regards Christoph -- 9FED 5C6C E206 B70A 5857

Re: [Sks-devel] unable to allocate memory for mutex; resize mutex region [was: Re: Min. Requirement for SKS Version in the Pool]

Hi! Daniel Kahn Gillmor d...@fifthhorseman.net writes: On 06/25/2012 01:50 AM, Christoph Egger wrote: Daniel Kahn Gillmor d...@fifthhorseman.net writes: On 06/25/2012 12:44 AM, Kristian Fiskerstrand wrote: Please let me know if we should push the timeline some for the 1.1.2 minimum to get

Re: [Sks-devel] Min. Requirement for SKS Version in the Pool

Hi! Daniel Kahn Gillmor d...@fifthhorseman.net writes: On 06/25/2012 12:44 AM, Kristian Fiskerstrand wrote: Please let me know if we should push the timeline some for the 1.1.2 minimum to get more time for testing, as originally stated my primary goal is getting to 1.1.3, so this shouldn't

Re: [Sks-devel] Issue Importing Database Dump (Dents in my forehead)

Hi! John Clizbe jpcli...@gingerbear.net writes: I've never exceeded an inuse mutex count of ~42k, you shouldn't need that high of a number either. Tunables in DB_Config won't help you on build, the BDB env isn't created until 'sks clean'. Likewise the environment isn't created in PTree until

[Sks-devel] Pool for port-80 reachable keyservers?

Hi! I was talking with some folks at a GPG crashcourse / Keysigning event last week where I was asked for a pool cointaining only keyservers reachable through standard HTTP(s) ports (usefull for example behind restrictive firewalls). As far as I know no such pool exists but maybe one could be

[Sks-devel] peering broken for keyservers using reverse-proxies?

Hi! Recently I started to see failures in my recon.log: 2012-04-04 23:35:59 Error getting missing keys: Failure(!DOCTYPE HTML PUBLIC \-//IETF//DTD HTML 2.0//EN\) 2012-04-05 00:57:10 Error getting missing keys: Failure(html\r) Interestingly all peers I'm seeing this kind of failure are

Re: [Sks-devel] Are IPv6-only keyservers acceptable in the pool?

Andrey Korobkov korob...@fryxell.ru writes: One more problem with IPv6 peering: 2011-04-07 00:23:44 address for keyserver.siccegge.de:11370 changed from [] to [ADDR_INET [2001:a60:f01c:0:70:1:6:42]:11370, ADDR_INET [212 .114.250.148]:11370, ADDR_INET [212.114.250.149]:11370] 2011-04-07

Re: [Sks-devel] Are IPv6-only keyservers acceptable in the pool?

Andrey Korobkov korob...@fryxell.ru writes: That's good :) So, that was because SKS was listening on IPv4. But what about: 2011-04-07 00:57:02 Recon partner: ADDR_INET [2001:a60:f01c:0:70:1:6:42]:11370 2011-04-07 00:57:03 Initiating reconciliation 2011-04-07 00:57:05 recon as client error

Re: [Sks-devel] Are IPv6-only keyservers acceptable in the pool?

Андрей Коробков korob...@fryxell.ru writes: I'm using btrfs on server and reiserfs on desktop. May be, BDB do some very-low level things?... Is one of them 64 bit and the other 32 bit? If so that'll break. If the server is 32bit you could build it on your desktop using a 32bit chroot

Re: [Sks-devel] Are IPv6-only keyservers acceptable in the pool?

Hi! Андрей Коробков korob...@fryxell.ru writes: I want to set up keyserver, but it's only IPv6. Would you accept it in the pool? I don't see any reason to reject such a keyserver and would peer with you as soon as yours is up! Regards Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655

Re: [Sks-devel] Are IPv6-only keyservers acceptable in the pool?

Андрей Коробков korob...@fryxell.ru writes: offtop The only problem is to have such a huge key database being built from dump on my memory-limited 32-bit home server. When I tried to do the thing on my 64-bit desktop and then copy the DB files to server, SKS didn't want to start because of

Re: [Sks-devel] Re: seeking peers for keyserver.siccegge.de

Hi! Hauke Lampe la...@hauke-lampe.de writes: On 12.10.2010 00:23, Christoph Egger wrote: After some more fiddling the firewall's now fine with IPv4 gossip One problem remains: Requesting 1 missing keys from ADDR_INET [212.114.250.149]:11371, starting with C11C28AEA21E0CBF4960BC150B2D62DC

[Sks-devel] seeking peers for keyserver.siccegge.de

. For operational issues, please contact me directly. keyserver.siccegge.de 11370 # Christoph Egger christ...@christoph-egger.org 0xD49AE731 Regards Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer A. Because it breaks the logical

Re: [Sks-devel] seeking peers for keyserver.siccegge.de

. Regards Christoph keyserver.siccegge.de 11370 # Christoph Egger christ...@christoph-egger.org 0xD49AE731 -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer A. Because it breaks the logical sequence of discussion Q. Why is top posting

Re: [Sks-devel] seeking peers for keyserver.siccegge.de

Christoph Egger christ...@christoph-egger.org writes: Hi! Gaudenz Steinlin gaud...@soziologie.ch writes: Hi Christoph I would like to peer with your server but I can currently not connect to it on IPv4. It works on IPv6 though. Is this intentional? No it's not intentional -- but well