Re: recommendation for key servers

2021-07-07 Thread Daniel Kahn Gillmor via Gnupg-users 
On Wed 2021-07-07 19:57:14 +0200, Werner Koch wrote:
> You need to check for the canonical form anway and thus it is easier to
> directly sort it.  In case of signature subpackets (if that is one of
> your concerns), this if of course not possible and thus this would
> require that the specs require a specfic order

yep, i'm uninterested in any canonicalization trying to sort the hashed
subpackets -- they are whatever they are on the wire and any reasonable
implementation should accept them and retain them as is.
Canonicalization should be limited to the parts that are "flexible" in
that reordering does not invalidate signatures.

>> I'm happy for OpenPGP to continue avoiding ASN.1 as much as possible!
>> (and a bit bummed that a tiny, mangled bit of ASN.1 has crept in with
>> ECC but i guess that's water under the bridge)
>
> Oh, it is already also in PCKS#1.5

ugh, right.  so it goes…

 --dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: recommendation for key servers

2021-07-07 Thread Werner Koch via Gnupg-users 
On Wed,  7 Jul 2021 08:30, Daniel Kahn Gillmor said:

> Without a canonical form, we simply can't make such a proposal.

You need to check for the canonical form anway and thus it is easier to
directly sort it.  In case of signature subpackets (if that is one of
your concerns), this if of course not possible and thus this would
require that the specs require a specfic order

> I'm happy for OpenPGP to continue avoiding ASN.1 as much as possible!
> (and a bit bummed that a tiny, mangled bit of ASN.1 has crept in with
> ECC but i guess that's water under the bridge)

Oh, it is already also in PCKS#1.5


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: recommendation for key servers

2021-07-07 Thread Daniel Kahn Gillmor via Gnupg-users 
On Tue 2021-07-06 23:20:23 +0100, Andrew Gallagher wrote:
> That's an interesting idea, and it has merit in itself, but from a 
> keyserver point of view I think a more general solution is to explode 
> TPKs into atomic components, sync them separately, and reconstruct the 
> TPK on demand at query time. This addresses not just reordering of 
> packets, but also differential filtering, simultaneous updates, etc.
>
> See https://github.com/hockeypuck/hockeypuck/issues/137

thanks, this is a very interesting framing.  I've written some comments
on that github issue to try to think it through more.

Regards,

   --dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: recommendation for key servers

2021-07-07 Thread Werner Koch via Gnupg-users 
On Tue,  6 Jul 2021 15:59, Daniel Kahn Gillmor said:

> There are no published specifications for how to canonically order
> OpenPGP packets, but i sketched a proposal here:

There has never been a need for such an ordering except for what the
specs require.  Introducing a specific order will make most applications
non-compliant.  Further, and more important, it does not help because an
application can't rely on this and needs to do sort anyway.

ASN.1 DER rules for a SET require a specific order but OpenPGP
fortuntalely avoid ASN.1 encodings.

> Adoption of such a canonical ordering would reduce the amount of
> computation for synchronizing keyservers, once they all adopted the same

Keyservers can of course do that if that better fits their processing
model.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: recommendation for key servers

2021-07-06 Thread Andrew Gallagher via Gnupg-users 

On 06/07/2021 20:59, Daniel Kahn Gillmor wrote:

On Mon 2021-06-28 18:42:02 +0100, Andrew Gallagher via Gnupg-users wrote:

It’s not clear, but it may be due to a lack of canonical ordering of
packets.


There are no published specifications for how to canonically order
OpenPGP packets, but i sketched a proposal here:

 https://dev.gnupg.org/T3389

Adoption of such a canonical ordering would reduce the amount of
computation for synchronizing keyservers, once they all adopted the same
one.


That's an interesting idea, and it has merit in itself, but from a 
keyserver point of view I think a more general solution is to explode 
TPKs into atomic components, sync them separately, and reconstruct the 
TPK on demand at query time. This addresses not just reordering of 
packets, but also differential filtering, simultaneous updates, etc.


See https://github.com/hockeypuck/hockeypuck/issues/137

--
Andrew Gallagher



OpenPGP_signature
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: recommendation for key servers

2021-07-06 Thread Daniel Kahn Gillmor via Gnupg-users 
On Mon 2021-06-28 18:42:02 +0100, Andrew Gallagher via Gnupg-users wrote:
> It’s not clear, but it may be due to a lack of canonical ordering of
> packets.

There are no published specifications for how to canonically order
OpenPGP packets, but i sketched a proposal here:

https://dev.gnupg.org/T3389

Adoption of such a canonical ordering would reduce the amount of
computation for synchronizing keyservers, once they all adopted the same
one.

--dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: recommendation for key servers

2021-06-28 Thread C.J. Collier 
*keyserver of course.

Please excuse my html, typos and use of soft keyboards.

On Mon, Jun 28, 2021, 16:33 C.J. Collier  wrote:

> I was thinking of build a keystone out of perl and bigquery, but I haven't
> gotten around to it yet.  At least not the bigquery part.  I'll share the
> perl http listener and dispatch server if anyone's interested.
>
> On Sun, Jun 27, 2021, 18:04 Jason Harris via Gnupg-users <
> gnupg-users@gnupg.org> wrote:
>
>>
>> There are still SKS servers running, but several are unsynchronized,
>> including, apparently, pgp.mit.edu.  Of course, they have the same key
>> import/poisoning problems already mentioned on these lists…
>>
>> Here are the hockeypuck servers I could find, all synchronizing properly
>> and apparently exchanging data (minus the unwanted packets) with the SKS
>> servers that are synchronized:
>>
>>- http://keys.andreas-puls.de/pks/lookup?op=stats
>>- http://keys2.andreas-puls.de/pks/lookup?op=stats
>>- http://keys3.andreas-puls.de/pks/lookup?op=stats
>>- http://pgp.cyberbits.eu/pks/lookup?op=stats
>>- http://pgp.re:11371/pks/lookup?op=stats
>>- https://pgpkeys.eu/pks/lookup?op=stats
>>- https://keybath.trifence.ch/pks/lookup?op=stats
>>- https://keyserver.trifence.ch/pks/lookup?op=stats
>>
>> HTH.  (Please excuse the HTML.)
>>
>> Sent from my iPad
>>
>> On Jun 24, 2021, at 7:19 PM, deloptes via Gnupg-devel <
>> gnupg-de...@gnupg.org> wrote:
>>
>> 
>> Hi, we heard that sks-keyservers.net will be depreciated
>> so we were wondering what service we should use in the application
>> default settings
>> We I mean TDE devs
>>
>> where do we go from here?
>>
>> thank you in advance
>> BR
>> ___
>> Gnupg-devel mailing list
>> gnupg-de...@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-devel
>>
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: recommendation for key servers

2021-06-28 Thread C.J. Collier 
I was thinking of build a keystone out of perl and bigquery, but I haven't
gotten around to it yet.  At least not the bigquery part.  I'll share the
perl http listener and dispatch server if anyone's interested.

On Sun, Jun 27, 2021, 18:04 Jason Harris via Gnupg-users <
gnupg-users@gnupg.org> wrote:

>
> There are still SKS servers running, but several are unsynchronized,
> including, apparently, pgp.mit.edu.  Of course, they have the same key
> import/poisoning problems already mentioned on these lists…
>
> Here are the hockeypuck servers I could find, all synchronizing properly
> and apparently exchanging data (minus the unwanted packets) with the SKS
> servers that are synchronized:
>
>- http://keys.andreas-puls.de/pks/lookup?op=stats
>- http://keys2.andreas-puls.de/pks/lookup?op=stats
>- http://keys3.andreas-puls.de/pks/lookup?op=stats
>- http://pgp.cyberbits.eu/pks/lookup?op=stats
>- http://pgp.re:11371/pks/lookup?op=stats
>- https://pgpkeys.eu/pks/lookup?op=stats
>- https://keybath.trifence.ch/pks/lookup?op=stats
>- https://keyserver.trifence.ch/pks/lookup?op=stats
>
> HTH.  (Please excuse the HTML.)
>
> Sent from my iPad
>
> On Jun 24, 2021, at 7:19 PM, deloptes via Gnupg-devel <
> gnupg-de...@gnupg.org> wrote:
>
> 
> Hi, we heard that sks-keyservers.net will be depreciated
> so we were wondering what service we should use in the application default
> settings
> We I mean TDE devs
>
> where do we go from here?
>
> thank you in advance
> BR
> ___
> Gnupg-devel mailing list
> gnupg-de...@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: recommendation for key servers

2021-06-28 Thread Jean-Jacques Brucker via Gnupg-users 


"Hell is paved with good intention."

GDPR came from the laudable intention of limiting the power of GAFAMs 
and other data brokers, inside our private lives.


But the text maintains a confusion between personal data and private 
data. Some personal data is not and should not be private. Email could 
be one of them, if everyone used a web of trust, which would allow us to 
know more precisely who is the sender, and to fight more effectively 
against SPAM.


(NB: In addition, the text annoys small organizations more than large 
groups which have the means to circumvent it, via internationalization 
and lobbying)


I have a public email, and i would like to have a email service or 
client which may delete automatically unsigned messages, and give me the 
feature to order received email depending from a "proximity" regarding 
the WOT, or a "confidence" regarding my trustdb.


About the keystore, I imagined 9 years ago that a key server receiving a 
certificate update, not signed by its owner, could send a message to the 
owner (by default 1 time per day), in order to ask it to validate, or 
not, the modifications, before synchronizing the updated certificate, 
signed by its owner, on other key servers.


So I had to write a draft and start implementing a new MIME type for 
HTTP for these purposes, to upgrade HKP protocol :


https://github.com/Open-UDC/open-udc/blob/master/docs/rfc/HTTP_OpenPGP_Authentication.draft.txt

https://github.com/Open-UDC/thttpgpd

But unfortunately I was perhaps too shy to talk about these ideas on an 
international mailing list, and they received little echo in my French 
environment :


https://linuxfr.org/users/jbar/journaux/thttpgpd-ou-comment-openudc-a-ressuscite-le-bon-vieux-thttpd


Today WKD / WKS seems to me a good compromise for the trilemma keystore, 
and probably the best way to get the last version of 
"first-party-attested" certificates, which fresh uid / sub-keys updates 
and revocations.


But it's only today that I discovered your git repository 
https://gitlab.com/openpgp-wg/rfc4880bis and your idea of 
​​"first-party-attested third-party certifications" (1pa3pc).


I therefore apologize if I do not add anything new or interesting to the 
debate today.



Jean-Jacques B.


Le 28/06/2021 à 01:41, Jason Harris via Gnupg-devel a écrit :


There are still SKS servers running, but several are unsynchronized, 
including, apparently, pgp.mit.edu.  Of course, they have the same key 
import/poisoning problems already mentioned on these lists…


Here are the hockeypuck servers I could find, all synchronizing 
properly and apparently exchanging data (minus the unwanted packets) 
with the SKS servers that are synchronized:


  * http://keys.andreas-puls.de/pks/lookup?op=stats
  * http://keys2.andreas-puls.de/pks/lookup?op=stats
  * http://keys3.andreas-puls.de/pks/lookup?op=stats
  * http://pgp.cyberbits.eu/pks/lookup?op=stats
  * http://pgp.re:11371/pks/lookup?op=stats
  * https://pgpkeys.eu/pks/lookup?op=stats
  * https://keybath.trifence.ch/pks/lookup?op=stats
  * https://keyserver.trifence.ch/pks/lookup?op=stats

HTH.  (Please excuse the HTML.)

Sent from my iPad

On Jun 24, 2021, at 7:19 PM, deloptes via Gnupg-devel 
 wrote:



Hi, we heard that sks-keyservers.net  will 
be depreciated
so we were wondering what service we should use in the application 
default settings

We I mean TDE devs

where do we go from here?

thank you in advance
BR
___
Gnupg-devel mailing list
gnupg-de...@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


___
Gnupg-devel mailing list
gnupg-de...@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


OpenPGP_0xA3983A40D1458443.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: recommendation for key servers

2021-06-28 Thread Стефан Васильев via Gnupg-users 

Andrew Gallagher wrote:

On 28 Jun 2021, at 18:02, Стефан Васильев via Gnupg-users 
 wrote:


When looking at the stats, why are there IMHO such high numbers
(daily) on updated pub keys, compared to submitted ones?


It’s not clear, but it may be due to a lack of canonical ordering of
packets. Say Alice and Bob have both signed my key, but keyserver A
and keyserver B have different copies of my key with Alice and Bob’s
signatures in opposite order from each other. These keys will have
different checksums, even though they contain the same functional
information. If the sync process doesn’t result in A and B reordering
the sigs in the same way, then they will keep syncing (successfully!)
forever, incrementing the number of changes each time.


Ah, thanks. That makes sense, but could be then considered, software
wise, as unwanted behaviour.

Regards
Stefan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: recommendation for key servers

2021-06-28 Thread Andrew Gallagher via Gnupg-users 

> On 28 Jun 2021, at 18:02, Стефан Васильев via Gnupg-users 
>  wrote:
> 
> When looking at the stats, why are there IMHO such high numbers
> (daily) on updated pub keys, compared to submitted ones?

It’s not clear, but it may be due to a lack of canonical ordering of packets. 
Say Alice and Bob have both signed my key, but keyserver A and keyserver B have 
different copies of my key with Alice and Bob’s signatures in opposite order 
from each other. These keys will have different checksums, even though they 
contain the same functional information. If the sync process doesn’t result in 
A and B reordering the sigs in the same way, then they will keep syncing 
(successfully!) forever, incrementing the number of changes each time. 

A
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: recommendation for key servers

2021-06-28 Thread Стефан Васильев via Gnupg-users 



Jason Harris wrote:


There are still SKS servers running, but several are unsynchronized,
including, apparently, pgp.mit.edu. Of course, they have the same key
import/poisoning problems already mentioned on these lists…

Here are the hockeypuck servers I could find, all synchronizing
properly and apparently exchanging data (minus the unwanted packets)
with the SKS servers that are synchronized:

* http://keys.andreas-puls.de/pks/lookup?op=stats
* http://keys2.andreas-puls.de/pks/lookup?op=stats
* http://keys3.andreas-puls.de/pks/lookup?op=stats
* http://pgp.cyberbits.eu/pks/lookup?op=stats
* http://pgp.re:11371/pks/lookup?op=stats
* https://pgpkeys.eu/pks/lookup?op=stats
* https://keybath.trifence.ch/pks/lookup?op=stats
* https://keyserver.trifence.ch/pks/lookup?op=stats


Thanks for the info.

When looking at the stats, why are there IMHO such high numbers
(daily) on updated pub keys, compared to submitted ones?

Regards
Stefan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: recommendation for key servers

2021-06-27 Thread Jason Harris via Gnupg-users 

There are still SKS servers running, but several are unsynchronized, including, 
apparently, pgp.mit.edu.  Of course, they have the same key import/poisoning 
problems already mentioned on these lists…

Here are the hockeypuck servers I could find, all synchronizing properly and 
apparently exchanging data (minus the unwanted packets) with the SKS servers 
that are synchronized:
http://keys.andreas-puls.de/pks/lookup?op=stats
http://keys2.andreas-puls.de/pks/lookup?op=stats
http://keys3.andreas-puls.de/pks/lookup?op=stats
http://pgp.cyberbits.eu/pks/lookup?op=stats
http://pgp.re:11371/pks/lookup?op=stats
https://pgpkeys.eu/pks/lookup?op=stats
https://keybath.trifence.ch/pks/lookup?op=stats
https://keyserver.trifence.ch/pks/lookup?op=stats
HTH.  (Please excuse the HTML.)

Sent from my iPad

> On Jun 24, 2021, at 7:19 PM, deloptes via Gnupg-devel  
> wrote:
> 
> 
> Hi, we heard that sks-keyservers.net will be depreciated 
> so we were wondering what service we should use in the application default 
> settings
> We I mean TDE devs
> 
> where do we go from here?
> 
> thank you in advance
> BR
> ___
> Gnupg-devel mailing list
> gnupg-de...@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users