Re: Which keyserver

[Vincent Breitmoser via Gnupg-users]

> keys.gnupg.net is a CNAME for hkps.pool.sks-keyservers.net -- which is
> now returning zero results.

Let me break the prose down into the simple facts:

* the "HKPS" pool is no longer actually a "pool". it is a [single server].

* the "HKP" pool still contains a few servers, but using it means *all 
communication happens in plain text*.

* the newest release of SKS is [1.1.6], from august 2016.

> until it came under sustained attack from people trying to burn it all down

It is true the attacks were what brought it down, but the amount of effort was 
not a "sustained
attack" by any measure. The invested resources are somewhere around "couple 
hours and $0.00".

 - V

[single server]: https://sks-keyservers.net/status/ (hkps column)
[1.1.6]: 
https://github.com/SKS-Keyserver/sks-keyserver/commit/b1725fda5dd89343b304c2126df78ad34bef66a8

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Which keyserver

[Phil Pennock via Gnupg-users]

On 2020-09-18 at 15:04 +0200, accounts-gn...@holbrook.no wrote:
> Is it possible to define multiple sources of keys with WKD, for example
> with a dns TXT record? The use-case would be if the main server is down,
> alternative places to get it.

The SRV record approach had to be dropped because the people doing
OpenPGP in web-browsers protested hard, since browsers _still_ refuse to
implement SRV lookup.  So we're stuck with an ancient model.

Currently that means "set up openpgpkey.example.org using whatever
loadbalancers and multiple A records across regions you like".

Within a few years we _might_ be able to get SRV-like distribution for
HTTPS with the proposed new `HTTPS` RR-type for DNS:
  https://tools.ietf.org/html/draft-ietf-dnsop-svcb-https
but that's not something you can rely on today.

-Phil

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Which keyserver

[Mark]

Phil,

Thanks for the explanation on what was happening. I thought something
was just not right as when I hit search it would come back in less than
a second with 0 results. It seemed to me that it didn't actually even
search through the database. Anyway now that you say there is not really
a server anymore to search it makes sense. 

I'm not familiar with the attack on it and by who so will have to google
it and see if I can learn more.

On 9/18/2020 8:32 AM, Phil Pennock wrote:
> On 2020-09-18 at 08:06 -0700, Mark wrote:
>> I use GPG4Win and I've noticed that "hkp://keys.gnupg.net" is not
>> working right. I was not getting any hits back when searching with
>> Kleopatra and then I tried to ping that server which returned host not
>> found.  So I'm also interested if there is a better choice.
> keys.gnupg.net is a CNAME for hkps.pool.sks-keyservers.net -- which is
> now returning zero results.
>
> The pool of  is Very Unhealthy.  The entire keyserver
> system had Known Issues but worked well enough that the volunteers who
> ran it could keep it alive and improving, until it came under sustained
> attack from people trying to burn it all down and push people to use
> "not OpenPGP" instead (some of the funding for attack tool development
> came from an org which is firmly pushing one of the modern alternative
> encrypted communications tools).
>
> There's still some keyservers, but what you see now are the red smoking
> embers of what's left after everything else has been burnt down.  From a
> pool of around 120 servers, almost all routinely working fairly well and
> being able to maintain per-continent pool aliases of servers which were
> health-checked and removed if not doing well, there's now fewer than 20
> servers left, from very few independent sources, and even those in the
> main pool are often not doing well.
>
> Which is why folks are struggling and trying to find something which
> works well enough.  There's nothing which fits all needs, but various
> solutions for some scenarios.  See my first reply in this thread with
> suggestions of particular servers.
>
> -Phil

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Which keyserver

[Andreas Mattheiss]

Hello,

>Is it possible to define multiple sources of keys with WKD, for example
>with a dns TXT record?

Well, yes, actually. This can be done with both X509 certificates (where it is 
called SMIMEA) and gpg keys. Obtaining a key basically involves quering the 
appropriate TYPE in the DNS record (53 for SMIMEA, 61 for openpgp). An 
additional step is to check the authenticity of this record. All this is 
completely seperate from WKD though.

That's the theory. In practise, alas, bugger all's using it. It's a shame, 
since this would really be a big step forward. The catch here is that it needs 
to be supported by the mail server where the addressee has his account. 
Needless to mention it is hardly deployed; in Germany mail.de has it, as do a 
number of paid email services. Plus, of course: before this goes big, the big 
email clients would have to support it. Of course you can hack something 
together using only command line tools (I've done that), but that's not the cup 
of tea for 99.9% of normal email users.

Vincent Breitmoser described this in this thread eloquently as being used by 
effectively nobody but a rounding error. Sigh.

Andreas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Which keyserver

[Phil Pennock via Gnupg-users]

On 2020-09-18 at 08:06 -0700, Mark wrote:
> I use GPG4Win and I've noticed that "hkp://keys.gnupg.net" is not
> working right. I was not getting any hits back when searching with
> Kleopatra and then I tried to ping that server which returned host not
> found.  So I'm also interested if there is a better choice.

keys.gnupg.net is a CNAME for hkps.pool.sks-keyservers.net -- which is
now returning zero results.

The pool of SKS keyservers is Very Unhealthy.  The entire keyserver
system had Known Issues but worked well enough that the volunteers who
ran it could keep it alive and improving, until it came under sustained
attack from people trying to burn it all down and push people to use
"not OpenPGP" instead (some of the funding for attack tool development
came from an org which is firmly pushing one of the modern alternative
encrypted communications tools).

There's still some keyservers, but what you see now are the red smoking
embers of what's left after everything else has been burnt down.  From a
pool of around 120 servers, almost all routinely working fairly well and
being able to maintain per-continent pool aliases of servers which were
health-checked and removed if not doing well, there's now fewer than 20
servers left, from very few independent sources, and even those in the
main pool are often not doing well.

Which is why folks are struggling and trying to find something which
works well enough.  There's nothing which fits all needs, but various
solutions for some scenarios.  See my first reply in this thread with
suggestions of particular servers.

-Phil

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Which keyserver

[Phil Pennock via Gnupg-users]

On 2020-09-18 at 10:08 +0200, Franck Routier (perso) wrote:
> Le jeudi 17 septembre 2020 à 18:13 -0400, Phil Pennock via Gnupg-users
> a écrit :
> >  If publishing keys, I do recommend setting up WKD for your
> > domain, which helps a little.
> 
> What is the status of WKD now, and is it to superseed centralized key
> servers ?

It's a draft spec, it's spreading a little.  Federated control of your
own namespace is always good.  Ultimately it's just HTTPS with a fixed
well-known layout.

kernel.org, debian.org, gentoo.org, archlinux.org -- it's spreading
amongst the Linux folks who have a central idea of what PGP keys are
supposed to exist in their domain.

Then there's exim.org and a couple of others, but I set those up and so
I can't say that this is proof of its popularity.

I think that any organization which uses PGP, including for signing
software releases, should be setting up WKD.  Non-WKD is for individuals
using PGP on a more ad-hoc basis.

Self-pimping:  has
other/standalone-update-website as a Python tool which can be integrated
into static site builds where something else manages the list of keys (I
have it in a Gulp rule for nats.io site build) and the repo itself is a
framework for managing the keys for one or more domains, so is used for
spodhuis.org, exim.org and pennock-tech.com.  The repo is designed to be
easy to fork and replace the key/domain definitions so that others can
use it.

-Phil

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Which keyserver

[Mark]

I use GPG4Win and I've noticed that "hkp://keys.gnupg.net" is not
working right. I was not getting any hits back when searching with
Kleopatra and then I tried to ping that server which returned host not
found.  So I'm also interested if there is a better choice.


On 9/17/2020 1:57 PM, Martin wrote:
> Hi list
>
> Which keyserver do you recommend these days?
>
> I have hkps://keys.openpgp.org in gpg.conf - but it seems that there
> are missing a lot of public keys on this server.
>
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Which keyserver

[accounts-gnupg]

I wasn't aware of WKD, thanks for the heads up.

Is it possible to define multiple sources of keys with WKD, for example
with a dns TXT record? The use-case would be if the main server is down,
alternative places to get it.


On Fri, Sep 18, 2020 at 12:55:45PM +0200, Vincent Breitmoser via Gnupg-users 
wrote:
> 
> > What is the status of WKD now, and is it to superseed centralized key
> > servers ?
> 
> Not for folks who have their email address at the domain of an email provider,
> or an organization that doesn't support WKD. So statistically, everyone but
> a rounding error.
> 
> That said, for folks who run their own domain, a it seems WKD is gaining some
> ground.  keys.o.o has a (sort of experimental) "[WKD as a Service]" feature, 
> and
> at this point there are more than 100 domains running on it. That's not a huge
> amount, assuming most of those are single-user domains, but it's something :)
> 
>  - V
> 
> [WKD as a Service]: https://keys.openpgp.org/about/usage#wkd-as-a-service
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Which keyserver

[Vincent Breitmoser via Gnupg-users]

> What is the status of WKD now, and is it to superseed centralized key
> servers ?

Not for folks who have their email address at the domain of an email provider,
or an organization that doesn't support WKD. So statistically, everyone but
a rounding error.

That said, for folks who run their own domain, a it seems WKD is gaining some
ground.  keys.o.o has a (sort of experimental) "[WKD as a Service]" feature, and
at this point there are more than 100 domains running on it. That's not a huge
amount, assuming most of those are single-user domains, but it's something :)

 - V

[WKD as a Service]: https://keys.openpgp.org/about/usage#wkd-as-a-service

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Which keyserver

[Franck Routier (perso)]

Le jeudi 17 septembre 2020 à 18:13 -0400, Phil Pennock via Gnupg-users
a écrit :
>  If publishing keys, I do recommend setting up WKD for your
> domain, which helps a little.

What is the status of WKD now, and is it to superseed centralized key
servers ?

Franck


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users