[Sks-devel] New operator key; request for peering
Dear all, My current operator key expires today, so I've switched to my new one. This email is likely to be the final one signed by my old key. I have a full statement at http://alderwick.co.uk/gpg-transition.txt signed by both keys, but for those of you peering with the following membership lines: keys.alderwick.co.uk 11370 # Andrew Alderwick 0x3ABB8CDAC6BEA800 keys2.alderwick.co.uk 11370 # Andrew Alderwick 0x3ABB8CDAC6BEA800 please update them to: keys.alderwick.co.uk 11370 # Andrew Alderwick 0x6E4730742E01FC54 keys2.alderwick.co.uk 11370 # Andrew Alderwick 0x6E4730742E01FC54 I've updated my SKS servers to match. These servers have been in the pool for a long time, but a few more peers would be most welcome! To peer with me, please add the new lines to your membership file and let me know what your entries are. Thanks very much, Andy signature.asc Description: Digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Checking dump
Hi everyone! What a useful thread! I've started playing around with key dumps with an aim to host them for others, so this couldn't be better timed. On Mon, Jan 04, 2016 at 05:19:50PM +0100, Gabor Kiss wrote: Now if I count lines with 'packet:' string in output of "gpg --list-packets" the result is only 406929. Even if I sum every lines of output it is less than 2.5 million. It is far from 4 million keys allegedly stored on my server. I wonder what SKS count a key in the stats? Or do you think my keydump is just a garbage? :-) I'm starting to think your dumps may be bad. I've counted the 'packet:' lines and the total lines and my figures come to 14 million and 89 million respectively. Here's my exact command lines and truncated output: $ for F in sks-dump-0???.pgp; do gpg --list-packets < "${F}"; done | grep -v '^\s'| grep 'packet:' | wc -l gpg: mpi too large for this implementation (56104 bits) gpg: mpi too large for this implementation (31822 bits) gpg: mpi too large for this implementation (35677 bits) gpg: packet(2) with unknown version 6 gpg: signature packet: unhashed data too long gpg: signature packet: unhashed data too long [many similar errors…] 13998000 $ for F in sks-dump-0???.pgp; do gpg --list-packets < "${F}"; done | wc -l gpg: mpi too large for this implementation (56104 bits) […] 89464944 There's 4146198 keys in this dump, and it takes up 7.6G (the .pgp files aren't compressed). Hope this helps! Andy signature.asc Description: Digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
Dear Rolf, On Tue, May 27, 2014 at 10:18:31PM +0200, Rolf Wuerdemann wrote: Am 27.05.2014 17:41, schrieb Kristian Fiskerstrand: On 05/27/2014 05:00 PM, Daniel Kahn Gillmor wrote: To check the inclusion of your server in the hkps pool, look at the HKPS column of: https://sks-keyservers.net/status/ Could you please explain the color-codes (on the page?). Red/green is obvious, but I don't know where this "orange" color for hkps sites comes from (SNI?) Orange under the hkps column means that the server is vulnerable to CVE-2014-3207, which has been patched in SKS 1.1.5 [1,2]. The vulnerability isn't limited to hkps, but Kristian will at some point make 1.1.5 a requirement for being part of the hkps pool [3]. So the orange is left undocumented as it's intended as a temporary warning to admins (such as me!) who are yet to update their servers. Thanks, Andy [1] http://lists.nongnu.org/archive/html/sks-devel/2014-05/msg0.html [2] http://lists.nongnu.org/archive/html/sks-devel/2014-05/msg00026.html [3] http://lists.nongnu.org/archive/html/sks-devel/2014-05/msg00033.html signature.asc Description: Digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
Dear all, On Tue, Apr 29, 2014 at 12:52:54PM +0200, Kiss Gabor (Bitman) wrote: keys.alderwick.co.ukFeb 7 18:22:08 2014 GMT keys2.alderwick.co.uk Feb 7 18:22:36 2014 GMT They were vulnerable for a couple of days, so I've replaced their private keys and certs. Thanks very much for the scan, Gabor! Best wishes, Andy signature.asc Description: Digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Configuring the reverse proxy to support large keys - HTTP error 413
Dear all, On Mon, Apr 28, 2014 at 06:25:45PM +0200, Kristian Fiskerstrand wrote: I've received reports that uploading some (large) keys to some of the keyservers in the pool (my test shows failure on 30 servers after trying to run against 115: These are listed in [A]) results in a gpgkeys: HTTP post error 22: The requested URL returned error: 413 Request Entity Too Large [...] keys2.alderwick.co.uk keys.alderwick.co.uk Good catch, Kristian, and thanks for scanning my servers. I've fixed their config now. On Mon, Apr 28, 2014 at 07:05:00PM +0200, Gabor Kiss wrote: I have not yet implemented an automated check for this in the pool (and a bit unsure how I'd do it without actually sending large amount of data to the server during the check, something I generally want to avoid), but might run a semi-manual / scripted check and add affected servers to the blacklist if the issue persists after some time. My 2 cents: It is not necessary to thest this attribute more than once a week. And servers passing the test need no more examination. I was wondering if, separately to the automated checks, a script on the wiki would be helpful for new admins to test a server. I could have a bash at it, unless anyone knows of a testing script that already exists. Example output: $ ./sks-lint keys.alderwick.co.uk Testing keys.alderwick.co.uk... [ OK ] SKS version is 1.1.4 [ OK ] 3608500 keys in database [ OK ] lookup via port 80 supported [FAIL] lookup via hkps failed - SSL certificate is invalid - common name is ssl.alderwick.co.uk - see http://example.com/sni [FAIL] large key upload failed - server returned HTTP error 413 - see http://example.com/upload_size Such a script could come with switches for the admin to indicate if they're interested in being in all the pools, some of them, or merely checking that their config doesn't have any obvious flaws. Thanks, Andy signature.asc Description: Digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel