ted in court); but one is responsible to make the data
> unable to be connected to a person. IMHO it would be enough to strip any
Ths question is: which person?
Several peoples may have identical name.
At least 3 different "Gabor Kiss"-es uploaded their keys to the key servers.
A
On Tue, 14 Jun 2022, I?aki Arenaza wrote:
> willingness to prove it), he could also use a digital certificate system
> that is operated by the government and legally binding in my
> country[1][2] (both of us are Spanish citizens).
>
> And at my request, he has digitally signed a document
eral hits for "Luis Puerto". This seems to be a
quite common name (just like mine :).
How to figure out if a given record contains name of the
"real" Puerto and not an other's?
What if I get crazy and I want all "Gabor Kiss" records to be deleted?
Do you simply bel
On Fri, 27 May 2022, Wiktor Kwapisiewicz wrote:
> > IMHO Mr. Puerto must show some evidence first about the key to delete
> > belongs to him. Otherwise any impostor can make delete other guys' key.
>
> This is actually pretty easy - they could cleartext sign a piece of text.
I did not say it
On Wed, 23 Jun 2021, Andrew Gallagher wrote:
> Making sks-keyservers.net point to somewhere that still works has merit. I
> would be cautious about taking it on though, as whoever owns it will inherit
> Kristian's GDPR problems. You would need to be prepared to respond to RTBF
> requests in a
d be useful if you could standardize the graphs somehow.
I.e. try to PLOT successful_connections per time_interval.
Regards
Gabor Kiss
--
No smoke, no drugs, no vindoze.
On Sun, 4 Apr 2021, Dan Egli wrote:
> fighting, the system is back. Unfortunately, in the process I lost my
> membership file, so I have no idea who I was peering with. I've plugged in the
Check this:
https://sks-keyservers.net/status/ks-peers.php?server=jupiter.newideatest.site
Gabor
--
A mug
On Mon, 22 Mar 2021, Andreas Puls wrote:
> > One can decide to setup a proxy server without any own backend
> > but redirecting queries to some of the existing servers.
> > No one would recognize the cheating. :-)
> >
> Looks like somebody already done that :)
> Just got a reuqest for the host
On Mon, 22 Mar 2021, Marcel Waldvogel wrote:
> a) We leave it as is, Hockeypuck is fine, but just not in the pool.
> b) We create a second pool, where Hockeypuck is acceptable (and
> probably SKS as well).
> c) We agree that Hockeypuck lying to be SKS is accepted in the pool,
> and maybe even
On Wed, 14 Oct 2020, Adam Wojcieszonek wrote:
> - loaded dump from
> keys.niif.hu/
> (14.10.2020)
Folks,
FYI unfortunately the last successful dump was two months
ago on keys.niif.hu.
Since then some database corruption prevents dumping.
I delete the garbled files from the dump area right now.
On Thu, 11 Jun 2020, Todd Fleisher wrote:
> Has anyone seen or heard from Kristian in the last month or so? I?ve reached
> SKS HKPS pool will become defunct. If anyone has other channels by which to
> reach Kristian, please use them to reach out and make sure he is OK & aware
> of this impending
On Fri, 1 May 2020, Stefan Claas wrote:
> And in case those are not regular or updated keys, are there
> any good keydump analyzing tools availabe which one can use
> for analyzing the freely available key dumps?
I would create such a programs from the scratch but I cannot
find even the format
> i have dumps though i might be out of sync.
> you can try lowering the batches to import. it'll take longer to import but
> is safer.
> see the notes in this section:
>
> http://mirror.square-r00t.net/#dumps-importing
Many thanks. :-)
"keys.niif.hu back on the air".
Gabor
ur config:
keys.niif.hu 11370 # Gabor Kiss 0x3B4A0EFBBD368329
Regards
Gabor
--
"Wenn ist das Nunstück git und Slotermeyer?
Ja! ... Beiherhund das Oder die Flipperwaldt gersput."
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.o
> If you do an 'lsof' you will also see all the dump files (223 when I
> built it) are open, even when having done a normal build. The only way
> to prevent this is to move the dump directory after the build finishes.
> This could also be contributing to the resource consumption.
Dump files are
> In the last 3 days some 3 new keys were uploaded.
> The rate is 10 times higher than the average.
Update: 6+ new keys arrived just yesterday according to
Kristian's statistics.
https://sks-keyservers.net/status/key_development.php
I copy here for later reference:
Keys added today
ks.stsisp.ro 11370 # 0x771a3bcce74c8cdd
>
> Thank you
Dear Emily,
You should not add dozens of peers to your membership file with a high hand.
Peering is based on arrangements.
Gabor Kiss
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel
> I have loaded key dumps from http://stueve.us/keydump.
> I see 5.450.511 keys loaded.
Just a note.
steve.us/keydump looks like ths:
...
sks-dump-0085.pgp 01-Dec-2018 02:22 121M
sks-dump-0086.pgp 01-Dec-2018 02:23 126M
sks-dump-0087.pgp 01-Dec-2018
> So, what can I do?
> I know ths patch (which seems to be included in debian sks package) to
> ignore one special malicious key, but that seems to not help about those
> noted above. Is there a patch to add more keys to be ignored?
> As some IPs requests the same KeyID over and over again (>100
> There are a handful of people with the background and skills to write a
> next-generation keyserver. I looked into it a dozen years ago and wrote
> up a whitepaper on it. I know Phil Pennock has put a lot of thought
> into it. Andrew, likewise. There are easily five or six people on this
>
> 2019-01-29 14:21:22 Adding hash 7594FE72B3E93A0350D9950B926F81A7
> 2019-01-29 14:21:22 Del'ng hash A3875A8B77A3ABADE2B855A8FCABC73D
> 2019-01-29 14:22:29 add_keys_merge failed: Eventloop.SigAlarm
> 2019-01-29 14:22:38 Key addition failed: Eventloop.SigAlarm
>
> My best guess is that this key
> i noticed a key, which, whenever one of my peers tries to send it to me, is
> failing and causing unstable enlistment in the sks pool list.
My typical logs in the same time:
> Jan 14 13:54:08 atlas sks[17917]: 2019-01-14 13:54:08 Requesting 100 missing
> keys from , starting with
>
> Request counted in 2h:
>
>178 0xB33B4659
> 186 0x69D2EAD9
> 290 0x2016349F5BC6F49340FCCAF99F9169F4B33B4659
> 336 0x1013D73FECAC918A0A25823986CE877469D2EAD9
I checked my logs. 15% of the recent 18k requests were related to these keys.
They belong to:
FreePBX Module Signing
> So it looks like the dump from keys.niif.hu got corrupted as well...
Ooops!
Thanks for the heads-up.
I'll check it.
Gabor
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel
> > due to the GDPR discussion and the devs not moving from their point of
>
> Who do you think "the devs" are?
Yeah.
AFAIK "dev" is within the name of the list only but the subscribers.
There are only operators here.
(And a journalist.)
Gabor
___
Hehe... This "yakamo k" really does not like the key servers.
Gabor
--
The Meaning of Life of Brian
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel
> I am looking for peers for a new SKS keyserver installation.
>
> I am running SKS version 1.1.6, on keyserver.gnumail.de
> It is a private machine.
> The server is physically located in Germany (EU).
> The machine has no IPv6 connectivity yet.
>
> I have loaded a keydump from keys.niif.hu,
On Thu, 23 Aug 2018, Kristian Fiskerstrand wrote:
> Are the servers clustered in any way? In my experience each site needs
> at least 3 nodes to ensure proper operation (mainly if A and B are
> gossipping C can still respond to requests, depending on the amount of
> traffic / speed of the node to
> My server (sks.daylightpirates.org) currently has an uptime of
> 97.95%, but every few hours the "sks db" process spikes to 100%
> CPU which makes the web interface completely unresponsive, which
> I'm guessing is why I keep getting kicked out of the pool.
>
> In the db.log, for each of these
> > Then let's drop keys that don't contain a valid email address in the key id.
>
> How do you propose to validate the email address?
>
> (Hint: this is a surprisingly hard problem.)
See also "web of trust" and "strong set".
Addresses should/can be checked by humans worldwide who sign/certify
> I have tried almost everything, from downloading a dump and starting the
> server sks again to reinstall system and everything else, the result is
> always the same, it works well for a while, sometimes an hour sometimes
> a little more and suddenly it it freezes the key server, reaching 80%
>
On Fri, 15 Jun 2018, Kiss Gabor (Bitman) wrote:
> Yesterday at 18:15 (CEST) keys.niif.hu started to produce tons
> of logs in /var/lib/sks/DB. In less than 2 hours the 40 GB filesystem
> got fulfilled.
> Deleting files and restarting processes did not help:
> Unfortunately I cannot work on
> been fairly quiet since then, but the service is still going, so
> it's about time I ask for new peers.
Dear John,
I wonder what do you expect from more peers? :-)
Hanor
___
Sks-devel mailing list
Sks-devel@nongnu.org
> My personal conclusion is that keyservers that support user id packets are,
> quite simply, incompatible with GDPR law. Has anyone else thought about this?
I did. I agree with you.
> From the view of an app, the GDPR requires "privacy by design" and "privacy by
> default". This conflicts with
> I think all SKS servers should attempt to recon with as many other
> servers as they can find. The tools exist to walk the network from a
> known starting point or points and enumerate all responsive hosts. Why
> not have each SKS server walk the network and update the in-memory copy
> of its
> The second, harder, issue with the above is eventual consistency.
>
> We assume that every peer will eventually see every packet at some
> point. But it is entirely possible that all of my peers will put in
> place policies against (say) photo-ids, and therefore I may never see a
> photo-id
> Do I need to announce it on this list?
SUre, you would be quite thoughtful :-)
> or how do I remove the server
> temporally from the pool?
It is fully automatic.
Regards
Gabor
___
Sks-devel mailing list
Sks-devel@nongnu.org
> 2018-01-29 18:05:16 error in callback.:
> Sys_error("Connection reset by peer")
>
> I?m seeing these type of error messages, which is great to know that it
> happened, but it begs the question: Who/what was the peer that reset the
> connection?
> The reverse side (As I?m having the two
> It appears that my server gpg.nebrwesleyan.edu has been out of the
> pool since yesterday.
https://sks-keyservers.net/status/ks-status.php?server=gpg.nebrwesleyan.edu
These statistics were last updated: 2018-01-23 19:35 (UTC)
Status for gpg.nebrwesleyan.edu
Latest status OK
I cannot see any
> Let's Encrypt has the DNS-01 challange where the admin produces a
> verification code that Kristian has to publish into his DNS zone through
> a txt record. As soon as this is done the admin can create a certificate
> that includes the pool hostname *and* his personal individual
> hostname(s)
> just noticed, that my server keyserver.swabian.net is currently not in
> the pool, showing delta -418. is the delta the problem, or are there
According to
https://sks-keyservers.net/status/ks-status.php?server=keyserver.swabian.net
the answer is "yes".
> more factors considered?
> according
> I just finished installing and configuring sks on a server I intend to
> add to a pool and am now looking for some well-connected servers that
> are willing to peer with me.
> Please note that my recon port is behind a firewall so connections will
> fail until I've opened the firewall for your
On Tue, 20 Jun 2017, robots.txt fan wrote:
> From: robots.txt fan
> how can you assume that it was me who uploaded a key with my name on it?
Don't worry.
I searched your name (i.e. RTF) with Google and no hits came from
any key server on the fist five pages. :->
>
> I have loaded a keydump from pgp.key-server.io, dated 2017-07-08.
> I see 9 keys loaded.
It is too few.
Total number of keys is about 4.7 million.
Regards
Gabor
___
Sks-devel mailing list
Sks-devel@nongnu.org
> Thanks for letting me know'. Everybody opens a browser at least once a
> day (correct me if I'm wrong), so it wouldn't take a minute to browse to
> (for example)
> https://sks-keyservers.net/status/ks-status.php?server=sks.lockmail.net
> to check its status.
It is too boring. :-)
I have a cron
Dear dirk,
> My "limit" is "not-ok"-status on Kristians statistik-page and no update
> within around 8 to 10 weeks (field "last updated").
Why do you care if (latest) status OK or not?
Kristian just marks if a server is pool member or not.
A server may be excluded from the pool due to several
> The stats of my sks server (1.1.5) shows a great increase in new keys
> and updated keys on August, 2016, 13 and 16 :
>
> TimeNew Keys Updated Keys
>
> 2016-08-1627470 24231
> 2016-08-15908 407
> 2016-08-14586 226
>
> > Out of curiosity, is there any Debian-type repository one can use to
> > install updates automatically?
> >
> https://packages.debian.org/jessie/sks ???
Jessie is the _stable_ version. Its sks package won't be upgraded
unless a major security hole will be found in 1.1.5.
We hope sid gets
Dear Kristian,
"It's just business nothing personal..." :-)
> > Let's start thinking about how to issue HKPS certificates in the future.
> > I'm afraid Kristian is too busy to do this.
> >
>
> I'm not too concerned about it, but keep in mind the primary goal for
> that is sufficient
> I'm running a SKS server version 1.1.5 - hostname
> keyserver.flippylosaurus.eu. It should be accessible via IPv4 (v6 should
Why page http://keyserver.flippylosaurus.eu:11371/pks/lookup?op=stats
writes this?
HTTP port: 11372
It is quite strange. :-)
Gabor
--
No smoke, no drugs, no
> I think the only reasonable solution is that every server operator gets a
> local blacklist that can be filled with keys / signatures / regex etc. and
> that only prevents matched entries from being saved to the database. To
> remove a key from all servers, all operators would need to add it to
> Howdy,
> I am looking for peers for a new SKS keyserver installation.
>
> I am running SKS version 1.1.3, on sks.rarc.net. I support a local
Dear Chris,
Please check these pages:
https://sks.rarc.net/pks/lookup?op=stats
(i.e. no change since 6th of May)
Dear Pete,
> I already run one SKS keyserver, and am thinking of running a second.
> The caveat is that the public IP address of the second system
> periodically changes. When it does, the DNS name pointing to that
> system is updated automatically (typically within a few seconds).
>
> How
> The dump files are OpenPGP format. You can just use gpg as the tool. For
> instance:
> gpg < /var/lib/sks/dump/sks-dump-0203.pgp
I see. Thanks for the hint.
Now if I count lines with 'packet:' string in
output of "gpg --list-packets" the result is only 406929.
Even if I sum every lines of
I really like the idea of only accepting self-signed stuff as it would raise
the bar for vandalism.
No one is kept from generate a million of new regular looking
self signed keys with some additional unwanted content.
Gabor
___
Sks-devel mailing
I guess the real problem for further key-server development is there is no
common
vision or goal for the SKS-network. I really doubt it is possible we ever
agree on
one (or even multiple) either ;-)
SKS network is a big white wall where everyone can paint. :-)
I wonder why is not fulfilled
Did you know abput some official sks hidden service i could add to my
membership file?
There is:
t3iqlf4oumhz2zg3.onion 11370
And that one is exactly the same as:
keys.techwolf12.nl 11370
What is the use of starting a hidden service if the server
otherwise is totally public and well
At first sight memory footprint of sks recon is drastically reduced.
... but after a few hours suddenly it grew again.
http://bakacsin.ki.iif.hu/~kissg/tmp/memory-day.png
May be hunt for misbehaving peers.
Flow analysis shows almost no traffic on port 11370
yesterday between 21:20 and
Dear Robert,
Did you check the cache value in /etc/sks/sksconf.
for my server, i have
# max cache DB
cache: 80
I have no such settings.
sksconf is unchanged since Dec 17 2013.
Now I add this entry. Then I listen and wait. :-)
Thanks.
Gabor
--
A mug of beer, please. Shaken, not
Last Friday I reorganized disk partitions used by SKS.
At first sight it was all right but now I found, that
recon process consumes the whole memory:
I already restarted it yesterday but today I'm out of memory again.
My system:
Stock Debian wheezy. Package version is 1.1.5-1~bpo70+1.
I've just moved sks-keyservers.net to a new server on another
location, so please let me know if any unexpected issues should arise
over the next few days and I'll start the old host again instead.
The new site seems to have some certificate problem.
Iceweasel (Firefox) says:
I have a new keyserver running and would like to peer with other
servers. Please add me to your 'membership' file with the following
entry and provide your details in return so I can do the same:
keyserver.erat.systems 11370 # Jens Erat em...@jenserat.de 0xA4FF2279
Dear Jens,
Have you
You can still block certain pakets from up/downloads (i.e. not
providing signature pakets for some key -- kind of a DoS when checking a
trust path)
We spoke about information leakage and manipulation so far.
DoS is a quite other topic.
SKS network is quite vulnerable from this point of view.
A
In case of the last remaining 7 servers (= every 5th server) the test
showed an exploit opportunity related to CVE-2014-0224 [4], which can
be eliminated by simply updating the OpenSSL package on these systems.
As I'm not that much deep in the topic I'm not sure about the impact
of this issue
I have set up a new key server with a key dump that's roughly a week old.
You have 1.50 million keys only.
Try againg until you get 3.67 million.
Gabor
___
Sks-devel mailing list
Sks-devel@nongnu.org
Dear Michael,
I have a new keyserver running and would like to peer with other
servers. Please add me to your 'membership' file with the following
entry and provide your details in return so I can do the same:
Err... how did you establish peer connection with
eu.pool.sks-keyservers.net?
List doesn't appear to be ack'ing my emails. Testing from gmail.
We got all the tree.
But archive lacks of them.
http://lists.nongnu.org/archive/html/sks-devel/2014-06/index.html
Gabor
___
Sks-devel mailing list
Sks-devel@nongnu.org
Could you please explain the color-codes (on the page?).
Red/green is obvious, but I don't know where this orange
color for hkps sites comes from (SNI?)
Indeed, or the meta page for the server in question.
By the way. Kristian!
May I suggest you to use title=explanation attributes within td
On Wed, 9 Apr 2014, kristian.fiskerstr...@sumptuouscapital.com wrote:
You are quite correct, and I will revoke and issue new certificates as I get
CSRs signed with the same openpgp keys that I originally got requests from.
Dear Kristian,
Please consider to remove vulnerable servers from HKPS
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
In recognition of package-maintainers backporting the security fixes
to older versions of SKS for stable systems I'm revising the latter
statement a bit. I have now implemented a test for affected servers
instead of relying on the version
Might I suggest that there be some time given for servers to be upgraded
before making this change? My servers run a stable baseline distro but I
deploy SKS via backported packaging which hasn't been upgraded and I'm
not going to compromise my system and run hand rolled source deployments
as
On Mon, 5 May 2014, Kristian Fiskerstrand wrote:
We are pleased to announce the availability of a new stable SKS
release: Version 1.1.5.
Dear Daniel,
Do you plan to create a Debian package for wheezy?
Regards
Gabor
___
Sks-devel mailing list
I'm not on the list and if you connect to my server
I did not. This was the command:
for server in a.keyserver.pki.scientia.net key.adeti.org key.ip6.li \
keys.alderwick.co.uk keys.fedoraproject.org keys.niif.hu keys.sflc.info \
keys2.alderwick.co.uk keys2.kfwebs.net
I have not yet implemented an automated check for this in the pool
(and a bit unsure how I'd do it without actually sending large amount
of data to the server during the check, something I generally want to
avoid), but might run a semi-manual / scripted check and add affected
servers to the
You are quite correct, and I will revoke and issue new certificates as I
get CSRs signed with the same openpgp keys that I originally got
requests from.
So we should just wait for new certificates. Right? :)
All of us have to generate new secret key key and signing request first.
Gabor
Having just spent about an hour sifting through my recon.log and
trying to track down the number of unauthorized gossip attempts I was
seeing I've stopped. I've already contacted a few that I was able to
identify and instead just figured I'd blanket the list as it seems to be
a wider
I have just set up a new key server and am looking for others to peer
Dear Klaus,
Your database is empty.
Load a keydump first.
BTW, Could you run a traceroute to keys.niif.hu?
Gabor
___
Sks-devel mailing list
Sks-devel@nongnu.org
hkps is basically a 443 to hkp forward - I am using nginx for that. Just
be SURE you do NOT use SNI or rely/ need a vhost/hostname as some
client/most clients (gnupg) do not send this information. It is actually
only feasible on a dedicated IP for SKS where Port 443 is solely used
for
well, i?m waiting for permission to activate the individual server ?
Peoples who want peering with you will write soon.
You also may reply other partner seeking requests.
Don't be impatient. :-)
Gabor
--
Virgil Brigman back on the air
___
Sks-devel
I am looking for peers for a new SKS keyserver installation.
I am running SKS version 1.1.4, on keyserver.plitc.eu.
{We are an ISP with public services}.
The server is physically located in Germany (EU).
The machine has IPv6 connectivity.
Dear Daniel,
Your status page says your server
Simple, we're using client side encryption, you can review the javascript
code in your browser. The server/service receives encrypted messages and
send it to the receiver. The server/service can't decrypt your message, it's
PGP.
I think that what Gabor meant was that *maybe* a client will
good luck on the move. i'm running the instances in virtual environments
myself, so please let us know if you encounter any issues. there used to be
a timer issue that influenced virtual machines more frequently than physical
boxes that affected the recon process. this is hopefully fixed in
Dear David,
These are the same problems that are always present. First, there's
the usability versus function (and it is really sad that these have
become opposite poles), and second, there's the competence to audit
code, which is probably an issue for an even greater number of people
than
i'm running sks 1.1.4 on Debian GNU/Linux, wheezy, amd64 (x86_64)
platform.
1.1.3, squeeze/i386
Can anyone with a dual-stack machine (both IPv6 and IPv4) verify a
successful connection from an IPv4-only peer in their recon logs?
I can see no similar log messages.
Gabor
But I had a problem. When sks was set to listen on port 11371, apache
complained about listening on the same port. So I have changed the sks
port to 11372 and configured Proxy to this port:
VirtualHost *:80 *:11371
ServerName klucze.achjoj.info
Proxy *
Order deny,allow
I was already running keyserver.linuxpro.nl on ipv4, I started testing with
sixxs ipv6 tunnel. If you like, you can test keyserver.linuxpro.nl on ipv6:
2001:610:600:6da::2
Gee!
RTT is 53.5 ms over IPv4 but 23.7 over IPv6 from keys.niif.hu. :-)
Gabor
How about a big, ugly label at the top of your search page:
NOTICE: Access from the EU forbidden.
Stupidity like that solves a (technically uninforcible) legal issue with
another (technically uniforcible and equally stupid) legal claim.
I wanted to propose some similar.
Each servers
On Mon, 4 Nov 2013, robert.O wrote:
I think this is the openpgp and Gnupgp to modify the program and add:
1- revoke the key without deleting data
2 - revoke the key and delete data
*Then sks-server respect**the orders of the owner of the private key*
Arnold wrote:
| If I remember right,
Whatever the decision, could you provide documentation for
configuration of such a reverse proxy for both Apache and Nginx?
What I miss is a set of diagnostic procedures/recipes that could
help an operator to figure out if his server fits various requirements.
Like this was on Monday:
|
On Tue, 29 Oct 2013, dirk astrath wrote:
I suggest to sign the to-be-deleted-key with a special signature,
which causes the personal data of this key not to be displayed.
http://lists.nongnu.org/archive/html/sks-devel/2012-05/msg00153.html
:-)
With a great number of the SKS servers already in the pool now
supporting a reverse proxy[a] does it make sense to make this a
hard-requirement for inclusion in the pool in order to increase
availability?
1 vote against it. (Sorry if I seem to be ungrateful. :)
Ideally, if network traffic
I have a new keyserver running and would like to peer with other
servers. Please add me to your 'membership' file with the following
entry and provide your details in return so I can do the same:
pgp.megagod.net 11370 # Kullawat Chaowanawatee e29...@gmail.com
0xC19EAE3A
It is ...
As of today keyserver.maze.io. will be known as key-server.nl, the old DNS
alias
will remain existent in the near future, but please refer to key-server.nl in
the future.
There is no record for the later one.
Anyway. Unless you plan to cancel the entire maze.io domain there is no
On Tue, 6 Nov 2012, Ronny Wagner wrote:
I have a new keyserver running and would like to peer with other
servers. Please add me to your 'membership' file with the following
entry and provide your details in return so I can do the same:
keys-01.licoho.de 11370
Dear Ronny,
I did add your
the website for sks-keyservers.net will be down for a few days after
some technical difficulties. The pool itself should operate (no change
to DNS records), the data will just not be updated.
Note: DNS advertises 213.161.224.2 as one of possible addresses of
pool.sks-keyservers.net.
This may
As an FYI; I've now added HTTPS/TLS support to
https://sks-keyservers.net . It is part of the monkeysphere[0], i.e.
using a self-signed certificate that can be verified through the Web of
Trust of OpenPGP.
The KeyID of the certificate should is 0xd71fd9994af34f0b and can be
found in the
Actually it is not true that SKS does not modify certs.
AFAIK, no one in this discussion ever claimed it does. It was claimed
I did not say that someone stated this. :-)
However I say: if one kind of modification is allowed
then the other is also possible.
that SKS never deletes
I'm with Rob. The keyservers should always host full certificates. Once we
start expiring keys or modifying them by removing bits, we become the
Untrusted Keyserver Cabal. Many would abandon us, probably forking to create a
There is no guarantee that one can trust all of current key servers.
If I was related to certain Asian governments I'd set up a fake key
server that is the only reachable from the country then I'd
serve manipulated keys to certain clients.
How do you propose to manipulate those keys? Do you have some way of
breaking RSA that we don't know about?
You
Plus, the instant there's a committee the committee members will likely
become legally responsible for the content of the network. If someone
Mostly you are right.
However this legal issue can be solved if the individual SKS server
operators may decide if they accept the comittee's suggestion
1 - 100 of 131 matches
Mail list logo