[Sks-devel] Shutdown of pgp.ustc.edu.cn

[Shengjing Zhu]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi,

I have shutdown pgp.ustc.edu.cn. Please remove this server from
your membership file.

Thanks!

Shengjing Zhu
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEE85F2DZP0aJKsSKyHONAPABi+PjUFAl0bfEwACgkQONAPABi+
PjWY5Af/TgKjHnl1KKhKeHNH8ZEc2nBoMqxH7Ob/UepTJjwHnvVXI0LqH5fycGlK
kVXW98qKaCKoObaH4OFbNqd0l5hFbKK8zinWf6y5RfRxCtFaXfILEbqeWobSaTqM
A2Y8nHJOL/ijK6KsKR86Rz11kRPNkdGoZUQIxBkqUxEg3usBMLiptEg6k5J8fqsc
0b3Mc5WOc1QH6SgpIVt4m1+b17HwPKjadGWQ50gd2/qsVZGadAUjESfr47LgsJvV
/MNAiho1MlfC4y/N+xiBJrDRPDA6T3jzW5XAvZgFWxqjhx6nN9OA/fQ4j0PQZ6NX
t4wX+e1Uo0BlZV++lxurcEZKmS0LAQ==
=YOhV
-END PGP SIGNATURE-

___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] new attack on sks keyserver ?

[stuff]

Hi Alex,

Your correct, sks does not have a future as no one is maintaining them and as 
you have seen they can no longer fullfil their intended purpose.

Yakamo

On Tue, 2 Jul 2019 07:31:17 -0700 (MST)
compuguy  wrote:

> Robert,
> 
> I think the question that people want answered is does the sks keyserver
> network have a future? Based on what I've been reading as far back as 2018,
> seems to indicate that servers like keys.openpgp.org are the future.
> 
> Thank You,
> 
> Alex "compuguy" Hall
> 
> 
> Robert J. Hansen-3 wrote
> >> https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
> > 
> > As the guy who wrote that, yeah, I'm pretty sure we here are aware of
> > it.  ;)
> > 
> > Kristian, who is the major figure behind the SKS keyserver network, has
> > also apparently been targeted.  We are keenly aware of the issue.  But
> > thank you for your thoughtfulness!  :)
> > 
> > ___
> > Sks-devel mailing list
> 
> > Sks-devel@
> 
> > https://lists.nongnu.org/mailman/listinfo/sks-devel
> 
> 
> 
> 
> 
> --
> Sent from: http://nongnu.13855.n7.nabble.com/SKS-Devel-f83255.html
> 
> ___
> Sks-devel mailing list
> Sks-devel@nongnu.org
> https://lists.nongnu.org/mailman/listinfo/sks-devel


-- 


___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] new attack on sks keyserver ?

[compuguy]

Robert,

I think the question that people want answered is does the sks keyserver
network have a future? Based on what I've been reading as far back as 2018,
seems to indicate that servers like keys.openpgp.org are the future.

Thank You,

Alex "compuguy" Hall


Robert J. Hansen-3 wrote
>> https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
> 
> As the guy who wrote that, yeah, I'm pretty sure we here are aware of
> it.  ;)
> 
> Kristian, who is the major figure behind the SKS keyserver network, has
> also apparently been targeted.  We are keenly aware of the issue.  But
> thank you for your thoughtfulness!  :)
> 
> ___
> Sks-devel mailing list

> Sks-devel@

> https://lists.nongnu.org/mailman/listinfo/sks-devel





--
Sent from: http://nongnu.13855.n7.nabble.com/SKS-Devel-f83255.html

___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] new attack on sks keyserver ?

[info]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

* Stop serving poisoned certificates to any client (by  configuring our
HTTP gateway with another URL blacklist, so that  GETs for poisoned
keys are not allowed). I'm planning to use some  of the existing DB
statistics scripts to extract the list of keys  which have more than N
signatures (which N would be reasonable?  10? 30? 300?) - ONGOING

You can parse the key, strip out all 3rd party certifications (or all
except the first N), and store it stripped. Our keyserver does this.
Benefit - less data to manage. (I'd contribute the code but it's not
OCaml).
-BEGIN PGP SIGNATURE-
Version: FlowCrypt 6.8.6 Gmail Encryption
Comment: Seamlessly send and receive encrypted email

wsBcBAEBCAAGBQJdGzMWAAoJEA1WiOvzECvny2QH/RP0JW3rVi4db/RcYR/P
h7HZc5JoVYODNXwcpNMBFnleRViVoYa/a331jllajmi+3uXjN1tXt8jPENEq
rsR13b5y0hjbvUnhzXup5Us2t7PS0oV8HRnC6GGzdAEWSiK2SAC74lcJOJMg
YQjmHz+ZIxnJE3a2EaugdEsEEW20RRMlrDS104sBgEi0UbTV46yz2lwaofjD
LOhZmcZ0Wer4Fj8eCIxjLhSBJbcJKV3mlshLesQQ5P/JSNMM0K7TODnRbXYB
6bXsa9/1Q8CVkj5snBXixWpom1N4ZOaJkJONVhRuFK5a2fCUi1eZyQs1U8BK
RCiDCFza2AmBjcY0BZj0/dM=
=uaO2
-END PGP SIGNATURE-


0x0D5688EBF3102BE7.asc
Description: application/pgp-keys
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] new attack on sks keyserver ?

[me]

Hi Jorge,

you might as well use keys.openpgp.org in that case.

you wont have to maintain broken software or deal with piosoned keys.

or you can even run your own instance of Hagrid if you want to maintain control.



Yakamo



On Tue, 2 Jul 2019 12:16:24 +0200
Jorge Gonzalez  wrote:

> Hi, all,
> 
> just in case anyone is interested, these are the first measures that I
> have implemented (or plan to implement) on ICIJ key server:
> 
> * Stop accepting SKS updates from peers (by removing all peers from our
> "membership" file). - DONE
> 
> * Stop accepting SKS updates from external sources (by configuring our
> HTTP gateway with a URL blacklist, so that POSTs for new keys are not
> accepted except from our internal networks) - ONGOING
> 
> * Tell users to upload any needed PGP key manually to our own keyserver
> - DONE
> 
> * Tell users and partners to use ICIJ keyserver (and not others) for
> communicating with us using PGP. - DONE
> 
> * Stop serving poisoned certificates to any client (by configuring our
> HTTP gateway with another URL blacklist, so that GETs for poisoned keys
> are not allowed). I'm planning to use some of the existing DB statistics
> scripts to extract the list of keys which have more than N signatures
> (which N would be reasonable? 10? 30? 300?) - ONGOING
> 
> Effectively, this has turned our server into a PGP island which does not
> receive updates, but it servers our porpose, since we regularly update
> it manually. YMMV.
> 
> Any comments are welcome.
> 
> J.
> 
> 
> *Jorge Gonzalez Villalonga*
> Systems Engineer
> *The International Consortium of Investigative Journalists*
> 
> 910 17th Street NW, Suite 410 | Washington DC 20006 | United States
> Phone: +34 672 173 200 (Madrid, Spain)
> El 1/7/19 a las 12:17, Robert J. Hansen escribió:
> >> https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
> > As the guy who wrote that, yeah, I'm pretty sure we here are aware of
> > it.  ;)
> >
> > Kristian, who is the major figure behind the SKS keyserver network, has
> > also apparently been targeted.  We are keenly aware of the issue.  But
> > thank you for your thoughtfulness!  :)
> >
> > ___
> > Sks-devel mailing list
> > Sks-devel@nongnu.org
> > https://lists.nongnu.org/mailman/listinfo/sks-devel


-- 


___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] new attack on sks keyserver ?

[Jorge Gonzalez]

Hi, all,

just in case anyone is interested, these are the first measures that I
have implemented (or plan to implement) on ICIJ key server:

* Stop accepting SKS updates from peers (by removing all peers from our
"membership" file). - DONE

* Stop accepting SKS updates from external sources (by configuring our
HTTP gateway with a URL blacklist, so that POSTs for new keys are not
accepted except from our internal networks) - ONGOING

* Tell users to upload any needed PGP key manually to our own keyserver
- DONE

* Tell users and partners to use ICIJ keyserver (and not others) for
communicating with us using PGP. - DONE

* Stop serving poisoned certificates to any client (by configuring our
HTTP gateway with another URL blacklist, so that GETs for poisoned keys
are not allowed). I'm planning to use some of the existing DB statistics
scripts to extract the list of keys which have more than N signatures
(which N would be reasonable? 10? 30? 300?) - ONGOING

Effectively, this has turned our server into a PGP island which does not
receive updates, but it servers our porpose, since we regularly update
it manually. YMMV.

Any comments are welcome.

J.


*Jorge Gonzalez Villalonga*
Systems Engineer
*The International Consortium of Investigative Journalists*

910 17th Street NW, Suite 410 | Washington DC 20006 | United States
Phone: +34 672 173 200 (Madrid, Spain)
El 1/7/19 a las 12:17, Robert J. Hansen escribió:
>> https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
> As the guy who wrote that, yeah, I'm pretty sure we here are aware of
> it.  ;)
>
> Kristian, who is the major figure behind the SKS keyserver network, has
> also apparently been targeted.  We are keenly aware of the issue.  But
> thank you for your thoughtfulness!  :)
>
> ___
> Sks-devel mailing list
> Sks-devel@nongnu.org
> https://lists.nongnu.org/mailman/listinfo/sks-devel


signature.asc
Description: OpenPGP digital signature
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel