[Eug-lug]keyserver breakage

Fri, 10 Jan 2003 16:10:40 -0800 

I advocated use of wwwkeys.pgp.net before..  I find I must now retract
that recommendation now given that I have discovered the HKP corruption
bug.  WTF is the HKP corruption bug?  If you have a key, say ..

  knghtbrd@galen:~$ gpg --list-keys 0x8FF7D7A3DCF9DAB3
  pub  1024D/DCF9DAB3 1999-03-01 Joseph Carter <[EMAIL PROTECTED]>
  uid                            Joseph Carter <[EMAIL PROTECTED]>
  uid                            Joseph Carter <[EMAIL PROTECTED]>
  uid                            Joseph Carter <[EMAIL PROTECTED]>
  uid                            Joseph Carter <[EMAIL PROTECTED]>
  sub  2048g/3F9C2A43 1999-03-01 [expires: 2003-07-08]
  sub  4096g/DC6AD094 2003-01-09

.. and you send it to a server ..

  knghtbrd@galen:~$ gpg --keyserver hkp://wwwkeys.pgp.net \
  > --send 0x8FF7D7A3DCF9DAB3
  gpg: DBG: increasing temp iobuf from 8192 to 16384
  gpg: success sending to `wwwkeys.pgp.net' (status=200)

.. someone using PGP << 7.x (probably) or GnuPG << 1.2.x (for certain)
will find the key valid for checking signatures, but not for encrypting
messages.  Tim Howe found this problem with my key.  The problem happens
when you use a key with two subkeys, like mine has above.  GnuPG 1.2.x
will work around this corruption the best it can, trying to restore one
subkey, but it will only restore the first one.  As it happens, that means
the first subkey, which means that in six months my key will not be
suitable for encrypting messages to me unless you get the 4k subkey
imported somehow (ie, by getting the key from me or from a non-broken
keyserver..)


There are not many non-broken keyservers out there.  Most that exist are
slightly non-reference implementation HKP (which GnuPG can talk to) or
these days there ae LDAP keyservers.  I am now using (and suggest you use
"keyserver ldap://keyserver.pgp.com"; in my .gnupg/options file.  Note, for
this to work your GnuPG needs to be built with LDAP support.  Debian does
this, Gentoo does only if you have ldap in your USE flags.  No idea about
any of the BSDs or other Linux distributions.

If you have not played with LDAP otherwise, I recommend looking into it.
I myself have not done so much with it, but what I have done has convinced
me that LDAP is very cool and should eventually replace a whole bunch of
less flexible and less-nifty things (NIS for example..)

-- 
Joseph Carter <[EMAIL PROTECTED]>            I N33D MY G4M3Z, D00D!!!!111!!
                                                      (Just ... don't ask)
 
<xtifr> Athena Desktop Environment!  In your hearts, you *know* it's the
        right choice! :)
* Knghtbrd THWAPS xtifr

Attachment: msg12472/pgp00000.pgp
Description: PGP signature

Reply via email to