Re: [Sks-devel] nokeyserver annotation
Vincent Breitmoser writes: >> - to do this keyservers will have to actually do cryptography > > Are you sure? I don't think there's any attack scenario here: If any > such signature exists, you can't upload the key. You can strip that signature. If you only consider accidental uploads of the key that's no problem at all. If you want to *prevent* the key from being uploaded You'll have to require that *all* self-signatures contain the annotation and you have to (cryptographly) ensure the key contains valid self-signatures (so an intruder can't fake a key without the annotation). I guess one could even have both (if willing to accept the crypto requirement on the keyserver) -- it'll be rejected of any such self-sig exists and also rejected if no other usable self-sig is present. Christoph ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] nokeyserver annotation
Hi! Kim Minh Kaplan writes: > Daniel Kahn Gillmor wrote: >> I'd like the keyservers to reject keys with any self-sigs with the >> "nokeyserver" notation. The novel thing is that this notation doesn't >> exist yet :) > - how does one propagates a "nokeyserver" annotation on a key in the > SKS network when this network does not carry said key Assuming the intention is tagging my key (which hasn't been published so far) so it doesn't end up on the keyserver. In that case *all* self-sigs would need to carry the notation as otherwise an intruder could just remove the newest nokeyserver selfsig and still have a valid key (iff all self-sigs have that flag, no upload can be crafted that has verifying self-signatures and not carry the flag). Christoph ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] sks-keyservers.net: DNS-Admins: action needed: Unexpected IP change
Kristian Fiskerstrand writes: > if you find any information un-expected send a response and request a signed > confirmation] > Unexpected IP change Almost Ironic ;-) Christoph ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Unreachable status (still) for pgp.key-server.io
Danny Horne writes: > # dig +norecurse +noall +stats @66.33.206.206 pgp.key-server.io > ;; Query time: 136 msec > ;; SERVER: 66.33.206.206#53(66.33.206.206) > ;; WHEN: Fri Nov 18 17:51:19 UTC 2016 > ;; MSG SIZE rcvd: 62 > > # dig +norecurse +noall +stats +tcp +time=20 @66.33.206.206 > pgp.key-server.io > ;; Query time: 135 msec > ;; SERVER: 66.33.206.206#53(66.33.206.206) > ;; WHEN: Fri Nov 18 17:51:30 UTC 2016 > ;; MSG SIZE rcvd: 62 What exactly are you trying to say? Because it works at *your* place it can't be broken somewhere else? It's nice the resolver responds quickly for you but it's uttrly irrelevant Christoph ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] IPv6 out of action?
Hi! Kristian Fiskerstrand writes: > On 10/28/2016 02:22 PM, dirk astrath wrote: >> Hello, >> Seems IPv6 connectivity is borked on https://sks-keyservers.net/status/ , no live keyservers are listed as having IPv6 available >>> Yes, I'm experiencing IPv6 issues with sixxs tunnels atm >> >> I heard the same from a hackerspace-college a day ago about sixxs ... >> >> ... seems, that their service is currently not running or they're >> shutting it down (according to tweets by sixxs users). >> >> are you able to keep the ipv6-traversal running even if sixxs will not >> come back? > > Will need to find another tunnel provider (he perhaps) in that case FWIW this was done by setting the DNS address of their tic service to localhost. It's working again since yesterday evening. Restarting your tunnel should fix it for now. But I guess we can expect more "fun" from sixxs in the future. Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Depeering Notice
Hi! Gabor Kiss writes: > Or don't you want to peer with servers having too few keys? Having too few keys leads to practical problems .. it directly leads to excessive resource usage during recon. Having a large delta and not catching up is a very good reason to de-peer. Christoph ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Need help with clustered setup
Hi! Danny Horne writes: > I don't understand why you're seeing this error, can see it in my logs > but test emails to my address (from GMail) are getting through IPv4 vs IPv6 | $ swaks -6 --to da...@lockmail.net --from christoph.eg...@fau.de -q TO | === Trying smtp.trisect.uk:25... | === Connected to smtp.trisect.uk. | <- 220 smtp.trisect.uk ESMTP Postfix | -> EHLO 1und1.siccegge.de | <- 250-smtp.trisect.uk | <- 250-PIPELINING | <- 250-SIZE 5120 | <- 250-VRFY | <- 250-ETRN | <- 250-STARTTLS | <- 250-AUTH CRAM-MD5 | <- 250-ENHANCEDSTATUSCODES | <- 250-8BITMIME | <- 250-DSN | <- 250 SMTPUTF8 | -> MAIL FROM: | <- 250 2.1.0 Ok | -> RCPT TO: | <** 451 4.3.5 : Recipient address rejected: Server configuration problem | -> QUIT | <- 221 2.0.0 Bye | === Connection closed with remote host. vs | $ swaks -4 --to da...@lockmail.net --from christoph.eg...@fau.de -q TO | === Trying smtp.trisect.uk:25... | === Connected to smtp.trisect.uk. | <- 220 smtp.trisect.uk ESMTP Postfix | -> EHLO 1und1.siccegge.de | <- 250-smtp.trisect.uk | <- 250-PIPELINING | <- 250-SIZE 5120 | <- 250-VRFY | <- 250-ETRN | <- 250-STARTTLS | <- 250-AUTH CRAM-MD5 | <- 250-ENHANCEDSTATUSCODES | <- 250-8BITMIME | <- 250-DSN | <- 250 SMTPUTF8 | -> MAIL FROM: | <- 250 2.1.0 Ok | -> RCPT TO: | <** 450 4.2.0 : Recipient address rejected: Greylisted for 60 seconds | -> QUIT | <- 221 2.0.0 Bye | === Connection closed with remote host. Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] peer request for pgp.uplinklabs.net
Gunnar Wolf writes: > Andrew Gallagher dijo [Wed, Aug 31, 2016 at 10:14:01AM +0100]: >> I'm sceptical of the utility of ECC keys personally. They were first >> proposed as a way of reducing work and storage space (because the >> space of usable ECC keys is more compact than the sparsely >> distributed RSA primes). But they've taken so long to catch on that >> technology advancement has made their original justification largely >> irrelevant (the only exception to my knowledge being DNSSEC, where >> signature length restrictions are still important). And because the >> ECC keyspace is more efficiently packed, it is theoretically *more* >> susceptible to quantum attacks. > > I'm far from a worthy crypto geek myself, but still — Storage space is > not the decisive issue; storing a million 4096-bit keys is only an > order of magnitude more than storing a million 256-bit keys (the same > proportion would naturally apply for a single key), and information > appended to the keys themselves (such as photo attributes and the > signatures that constitute the web of trust) make the difference quite > unnoticeable. It also affects the size of each signature, certificate | :signature packet: algo 22, keyid 1BB721A4B254D8E1 | version 4, created 1472657540, md5len 0, sigclass 0x00 | digest algo 8, begin of digest fd 82 | hashed subpkt 2 len 4 (sig created 2016-08-31) | subpkt 16 len 8 (issuer key ID 1BB721A4B254D8E1) | data: [256 bits] | data: [256 bits] vs | :signature packet: algo 1, keyid ABFFEDB24008C6F9 | version 4, created 1472657570, md5len 0, sigclass 0x00 | digest algo 8, begin of digest c8 06 | hashed subpkt 2 len 4 (sig created 2016-08-31) | subpkt 16 len 8 (issuer key ID ABFFEDB24008C6F9) | data: [4095 bits] Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer signature.asc Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Sync issues with sks 1.1.6
Steven Noonan writes: > On 31/08/16 07:07, Christoph Egger wrote: >> Steven Noonan writes: >>> Attempted doing a dump and rebuild of my database from that, but it didn't >>> help >>> with this problem. Still sees those same two keys out of sync: >> >> Wild guess: ECC keys and your peer doesn't understand them and sends you >> some data your server doesn't like > > Ah. Could that be what's making some of the bits on my server seem to stay on > my server and apparently not replicate to other SKS hosts? > > Maybe I don't entirely understand the recon.log file, but it seems like it > talks a bunch about pulling hashes from other hosts but doesnt log anything > about sending them out. Well it doen't know really. The other side "locally" calculates the things it lacks and gets them via hkp Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Sync issues with sks 1.1.6
Hi! Steven Noonan writes: > Attempted doing a dump and rebuild of my database from that, but it didn't > help > with this problem. Still sees those same two keys out of sync: Wild guess: ECC keys and your peer doesn't understand them and sends you some data your server doesn't like Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] seeking peers for sks.ustclug.org
SJ Zhu writes: > 2016-08-27 13:54:52 Reconciliation attempt from unauthorized host [172.17.0.1]:39492>. Ignoring Note that this is a private address from RFC 1918 space. So either something is Nat'ing your incoming connections or this connection attempt comes from within your (campus) network. Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer signature.asc Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Great increase in new keys and updated keys on August, 2016, 13 and 16
Pascal Levasseur writes: > Any explanation available for this unusual behavior ? Quoting #debian-devel > evil32 keys got revoked https://news.ycombinator.com/item?id=12298230 Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer signature.asc Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] [Announcement] SKS 1.1.6 Released
Gabor Kiss writes: >> > Out of curiosity, is there any Debian-type repository one can use to >> > install updates automatically? >> > >> https://packages.debian.org/jessie/sks ??? > > Jessie is the _stable_ version. Its sks package won't be upgraded > unless a major security hole will be found in 1.1.5. > > We hope sid gets 1.1.6 soon. And I'd expect it on backports shortly after .. just like the 1.1.5 for wheezy Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] 32-bit (short ID) collisions: New milestone(?) reached
Hi! Gunnar Wolf writes: > There are several tools relying on this (now very) weak 32-bit scheme; > the first such tool we found was precisely the «PGP pathfinder & key > statistics» service, which fails badly: Even specifying the full > fingerprints, I do get three (absolutely fake!) trust path into the > impostor: > > > http://pgp.cs.uu.nl/mk_path.cgi?FROM=AB41C1C68AFD668CA045EBF8673A03E4C1DB921F&TO=88BB08F633073D7129383EE71EA37A0C9F6C6333&PATHS=trust+paths Moving this to full fingerprints is pretty high on my TODO list for a while .. though old consumers seem to be pretty unhappy with any change to the data so this needs fixing as well (the website being the only exception). Hope I can get it done this summer ... You shouldn't trust the data there fwiw .. the mining script doesn't actually *check* any signatures and blindly believes what it says on the envelope. Might change as well when I fix the collector but we'll see. Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Pools & HSTS header
William Hay writes: > On Thu, May 26, 2016 at 12:47:57AM +0200, Valentin Sundermann wrote: >> Hi, >> >> I enforce HTTPS on all my domains by sending the HSTS header to my >> visitors. HSTS forces the browser to use in future only secure >> connections to this domain. More info on Wikipedia[1] :) >> Since my keyserver could be added to pools of keyservers without any >> notice to me. It could be possible that some servers will send these >> kind of headers on pool domains too. >> >> Did I miss there something or could this really lead to problems? :) > > AIUI HSTS only works if the header is received over an https connection > not an http one. Unless you have a cert in the name of one of the pools > then anyone trying to connect to the pool who ends up connecting to your > server will not get far enough to see the HSTS header because of a name > mismatch. Well. http://pool.sks-keyservers.net(:11371)? --redirect--> https://keyserver.siccegge.de And if keyserver.siccegge.de present a valid certificate + HSTS would be a problem no? (and potentially undetected if the pool script mainly checks API pages) Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Oh, Jeeez...!
Ari Trachtenberg writes: > Is there a common element to the bulk signatures that are being added? > Can we, maybe, rate limit submissions per IP address? These bulk bullshit submissions are the mostly-harmless branch of the problem. The way more pressing thing is a) distributing unlawfull / unethical data and having no way to get rid of it (starting from copyright infringement to *really* bad stuff) b) Dealing with legal requests to delete personal information (which is a "problem" in several jurisdications) The fake bulk signatures are certain annoying but not much more than that. Christoph ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Oh, Jeeez...!
Tobias Frei writes: > About lacking keys, well, if the pool selection mechanism causes > working keyservers to be removed, that's a separate problem that needs > to be solved after this one, I think. It should not be an argument for > or against this suggestion, but instead needs to adapt to the current > situation. It's not only pool selection but also at the very core of how the recon protocol works. You can't fix that as an afterthought. Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] keys.gnupg.net anomaly
Christoph Egger writes: > AFAIR keys.gnupg.net has been discussed here and keyserver oeprators are > expected to make this work -- at least for hkps. sorry that was meant to read hkp / port 11371 -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] keys.gnupg.net anomaly
Christoph Egger writes: > of course -- if people use keys.gnupg.net with https, this advice should > probably be fixed and/or the cname be moved to the "right" pool Note that https://pool-sks-keyservers.net/ is also expected to not work -- there's the hkps pool for that. -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] keys.gnupg.net anomaly
Hi! "Kiss Gabor (Bitman)" writes: > I found requests for https://keys.gnupg.net/ in my Apache logs > on keys.niif.hu. Of course they were unsuccessful because > my HTTP daemon is not set up to provide this virtual site. > > In the DNS we can see this: > keys.gnupg.net CNAME pool.sks-keyservers.net > > Phil Pennock writes on http://sks.spodhuis.org/: > | End-users should use a pool definition, such as keys.gnupg.net which will > | alias into an operational pool. > > So this seems to be a well known situation but I don't believe > it would be a wise thing. > Google is full of complaints about "unreachable" or "non functional" > keys.gnupg.net. The reason is above. > > What do you think, folks? AFAIR keys.gnupg.net has been discussed here and keyserver oeprators are expected to make this work -- at least for hkps. of course -- if people use keys.gnupg.net with https, this advice should probably be fixed and/or the cname be moved to the "right" pool Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Verification of keys on upload and removal options
Hi! Malte writes: > On Friday, March 25, 2016 1:33:16 PM CEST Andrew Gallagher wrote: >> Before we even *think* about a protocol, there are policy hurdles to be >> overcome, e.g.: >> >> 1. What criteria should be met before a key is removed? > > Owner of private key or owner of UID/email address requests it. So if I have a revocation for an UID I once rightfully used (stating I no longer control that UID), the new owner of that UID can ask for removal of that revocation? Christoph signature.asc Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Expired PGP Keys of operators
Hi! While iterating over all my peers and checking why some were down and others no longer cross-peered I noticed lots of the PGP Keys I originally wrote down are expired revoked. I guess it would make sense for operators to announce key rotations onlist so people can keep their membership file up-to-date? Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer signature.asc Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Verification of keys on upload and removal options
Hi! Douglas writes: > It doesn't benefit anyone to retain keys uploaded with malicious > intent, so I believe it's worth discussing a mechanism for key removal > due to abuse of the system. Sure. I suggest you start by reading the Minsky paper on how the keyservers work and bring forward a feasible protocol proposal. Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Tor hidden service /onionbalance for hkp
Hi! Kristian Fiskerstrand writes: > as mentioned in [0] an experimental tor hidden service based on > onionbalance is running on hkp://jirk5u4osbsr34t5.onion . A Tor column > is added to the status pages, and participation requires manual > notification to me. Is there some documentation published on what is needed on the side of a keyserver operator? I'd really like to get my keyserver added there (next week sounds good for doing the work) but don't really know what is needed. Christoph signature.asc Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] sks for MirageOS?
Hi! Stephan Beyer writes: > Does anyone of you have experience with MirageOS and knows what > it takes to make a MirageOS unikernel from an "ordinary" OCaml program > like sks? You just have to rewrite any I/O code to the MirageOS library. So mostly network and backend storage for BDB (which isn't written in ocaml) (and I don't see anything like a unixoid filesystem available). Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Peering with mud.stack.nl
Hi all! Since some time I'm seeing a ever growing number of [0] when my keyserver tries recon with mud.stack.nl. Note the "0 keys received". Is anyone else seeing this as well? Is this a problem (anyone knows what exactly?)? Regards Christoph [0] [...] 2015-09-26 17:57:25 Requesting 30 missing keys from , starting with D26FB78E027BCDB52A38F415DC493267 2015-09-26 17:57:26 0 keys received 2015-09-26 17:57:26 Requesting 30 missing keys from , starting with D7040DD31A0BABA7445C02A7E9BEE4C6 2015-09-26 17:57:26 0 keys received [...] -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer signature.asc Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Well connected?
Hi! Daniel Roesler writes: > Visualization: > http://bl.ocks.org/diafygi/3f344c22f8a37a7b2151 How exactly does the green vs. red work given that keyservers cross-peer and almost all edges should go in both directions? Christoph ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] sks hiddden service
"Kiss Gabor (Bitman)" writes: > Eeerrr... what is the risk of using a public service in > TOR user's point of view? (Compared to using a hidden service.) > His identity is hidden anyway. End-To-End encryption and no CAs. signature.asc Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] seeking peers for keys.enteig.net
Hi! > Running it on a Raspberry Pi shouldn't be a problem as SKS is > pretty low on resources (except for the building process). Well sks needs rather decent storage (or maybe lots of RAM as caches?) to performe remotely useable in my experience. In terms of "normal" RAM and CPU usage it's certainly harmless Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Change of IP Address for keyserver.siccegge.de / keyserver.christoph-egger.org
Hi! The IP addresses configured for my keyserver[0] are about to change. It will then also feature a static IPv4 address again. Addresses are: 92.43.111.21 2a01:4a0:59:3151::f002 Regards Christoph [0] keyserver.siccegge.de / keyserver.christoph-egger.org Just different names for the same thing signature.asc Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] New keyserver (gpg.n1zyy.com) - peers requested
Hi! Matt Wagner writes: > IPv6[1]. Looks good from here FWIW Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Broken keyservers (413 Request Entity Too Large)
Arnold writes: > People with a very large key can put their full key at a special place of > their own > (they are likely to be above average active internet users). They can still > upload > their key with exp. time and all textual UIDs. However, they should remove > most of > the signatures and picture UIDs and instead include a 'preferred key server' > field. FWIW I can still upload an arbitrary-size key by splitting it into separate junks. I could, for example, just upload the signatures for each uid separately and the keyserver will reassemble the bits again. I don't really see my key as abusive in some way (I would probably create it different today but still). Christoph pgp2BYhYkM1V8.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Broken keyservers (413 Request Entity Too Large)
Hi! Seems uploading my gpg key (d49ae731) to pool.sks-keyservers.net fails for several of the hosts in rotation: gpg: sending key D49AE731 to hkp server 213.206.252.51 gpgkeys: HTTP post error 22: The requested URL returned error: 413 Request Entity Too Large gpg: keyserver internal error gpg: keyserver send failed: keyserver error gpg: sending key D49AE731 to hkp server 193.17.17.6 gpgkeys: HTTP post error 22: The requested URL returned error: 413 Request Entity Too Large gpg: keyserver internal error gpg: keyserver send failed: keyserver error gpg: sending key D49AE731 to hkp server 162.17.206.197 gpgkeys: HTTP post error 22: The requested URL returned error: 413 Request Entity Too Large gpg: keyserver internal error gpg: keyserver send failed: keyserver error gpg: sending key D49AE731 to hkp server [2001:4d88:1ffc:477::7] gpgkeys: HTTP post error 22: The requested URL returned error: 413 Request Entity Too Large gpg: keyserver internal error gpg: keyserver send failed: keyserver error gpg: sending key D49AE731 to hkp server [2001:1af8:3100:b010:a000::1] gpgkeys: HTTP post error 22: The requested URL returned error: 413 Request Entity Too Large gpg: keyserver internal error gpg: keyserver send failed: keyserver error % gpg --version gpg (GnuPG) 1.4.18 Christoph pgpyfFhLDTrBs.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] "quality" of keyservers offering hkps
"Kiss Gabor (Bitman)" writes: >> - mitm attacks may manipulate up-/downloaded keys > > no > > Every uploaded key can be manipulated legally by anyone. > (I.e. you attach a new signature to your friend's key > and you send back to the key servers.) > Moreover anybody can send a totally new key in the name of you. > Public key server is like Wikipedia or a piece of paper. > And everybody has a pencil. :-) You can still block certain pakets from up/downloads (i.e. not providing signature pakets for some key -- kind of a DoS when checking a trust path) Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer pgpBlJJTv23Qa.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Moving SKS to a different host
Pete Stephenson writes: > On 8/3/2014 3:03 PM, Tyler Schwend wrote: >> Building the sks database from a dump takes a very long time, a lot >> of disk space, and a lot of CPU. Is there a way to just move the >> whole BDB from one host to another? I am switching hosts. > > I'm not sure if it's recommended, but I've done that successfully (where > "successfully" is defined as "it doesn't seem to have broken anything yet"). > > On two Ubuntu 14.04 systems, both with SKS 1.1.4, it was pretty easy: > > 1. Stop the SKS service on the old system: "sudo service sks stop" > > 2. Install SKS on the new host, if I haven't done so already: "sudo > apt-get install sks". Using the package automatically creates the > "debian-sks" user. If you're compiling from source your mileage may vary. > > 3. Copy /var/lib/sks/* from the old to the new host (I did this using > rsync, but you can use whatever you wish). > > 4. Ensure that the directory and its contents on the new host have > proper permissions: for example, "sudo chown -R debian-sks:debian-sks > /var/lib/sks/" > > 5. On the new host edit /etc/default/sks, set initstart=yes. Ensure that > /etc/sks/membership and /etc/sks/sksconf are setup appropriately. > > 6. Start SKS on the new host: "sudo service sks start" Just be carefull when your Architecture changes. As long as it's 64bit x86 -> 64bit x86 this should work, if you do 32bit -> 64bit or the other way 'round not so much ;-) Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer pgp5HN7jHbDGP.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Keydump
Ahoi! Henning Kopp writes: > Is it possible to get a keydump of all gpg-keys? Are there any usage > restrictions? What would the size of the data be? Take a look at https://bitbucket.org/skskeyserver/sks-keyserver/wiki/KeydumpSources I doubt any of the operators will mind a one-time download of this source for research purposes. Regards Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer pgpNSERnGFx7Q.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Question about apache2 configuration
Todd Lyons writes: > On Tue, Nov 12, 2013 at 6:45 AM, Filip Stefaniak wrote: >> >>> Your webserver doesn't return the sks interface when contacted as >>> p80.pool.sks-keyservers.net or even pool.sks-keyservers.net so it >>> can't be used as part of the port80 Pool >> >> Ok. So as I assume I have to add: >> >> ServerAlias pool.sks-keyservers.net >> ServerAlias p80.pool.sks-keyservers.net > > No, because you are adding to a name-based virtual hosting > configuration. You would have to add EVERY SINGLE POSSIBLE dns cname > that could be pointed to pool.sks-keyservers.net (such as > keys.gnupg.org). Instead, use an IP based virtual hosting > configuration, one that doesn't care what Host header gets sent to it. Well it's quite uncommon for the hosts in the p80 pool to have a dedicated IPv4 address just for SKS (and quite a lot to ask for everyone not having a pool of free IP addresses around). You can of course try to at least get sks be the default if you want. Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer pgpsXeUrfHRMW.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Question about apache2 configuration
Filip Stefaniak writes: > W dniu 2013-11-12 14:12, Todd Lyons pisze: >> On Tue, Nov 12, 2013 at 09:42:13AM +0100, Filip Stefaniak wrote: >> >>> I've tried to configure sks server with apache2 as described at >>> https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering >>> But I had a problem. When sks was set to listen on port 11371, apache >>> complained about listening on the same port. So I have changed the sks >>> port to 11372 and configured Proxy to this port: >> >>> >> >> When apache complains about a VirtualHost declaration and things >> listening on the same port, it usually means there is an overlap in the >> name-based virtualhosts and the ip-based virtual hosts. It depends if >> you interpreted the message correctly. If it was complaining that >> another process already had the port open and apache couldn't open it, >> then the problem is that you have sks configured to listen on *:11371 >> or 0.0.0.0:11371 instead of 127.0.0.1:11371. Alternativately, apache is >> complaining that multiple places in its own config tries to listen on >> port 11371. The most important way to control this is to control it >> with the Listen statements. > > Thanks Todd, > The problem was eventually solved. The main issue (among others) was > that the server is behind the router and has a *local ip* assigned, > while I tried to force apache to listen on *external ip* on 11371 (now > it is obious and silly, but sometimes it is really hard to find out such > tiny mistakes). > > Your httpd configuration I found on this list helped me a lot with > setting up things. > > Here I have another question: on the status page I'm not "Port 80" > positive, however my server has access on 80 port > (http://klucze.achjoj.info/). I see that you have green light there. > How to configure this? Your webserver doesn't return the sks interface when contacted as p80.pool.sks-keyservers.net or even pool.sks-keyservers.net so it can't be used as part of the port80 Pool % curl http://89.68.150.88/ -H 'Host: pool.sks-keyservers.net' Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer pgp0qbUtre1QG.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] seeking peers for keys.sflc.info
Hi! Clint Adams writes: > keys.sflc.info 11370 # Clint Adams > 0xDFFB8B0B5C6F5582 Added. Please add me back! keyserver.siccegge.de 11370 # Christoph Egger 0xD49AE731 Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] keyserver.siccegge.de IP change
Hi! Gaudenz Steinlin writes: > Christoph Egger writes: >> Unfortunately keyserver.siccegge.de lost it's static IPv4 >> configuration. DNS has been set up to follow the actually used IP >> addresses (hopefully visible soon on a Nameserver near you). I will soon >> add a (static) IPv6 address again (allocated from >> 2001:a60:f01c::/48). If you are peering with me right now and can not >> handle changing IP addresses please inform me! > > Unfortunately my firewall configuration does not currently support > regularly changeing IPs. So I removed the peering for the time being. > But if you have IPv6 again, I'm happy to peer on v6 again. IPv6 should be back and on a stable address. So you can add me back if you want! Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer pgpx7kXmcPcmq.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] keyserver.siccegge.de IP change
Hi all! Unfortunately keyserver.siccegge.de lost it's static IPv4 configuration. DNS has been set up to follow the actually used IP addresses (hopefully visible soon on a Nameserver near you). I will soon add a (static) IPv6 address again (allocated from 2001:a60:f01c::/48). If you are peering with me right now and can not handle changing IP addresses please inform me! Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer pgpdSbTvTRmy3.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Upgrading to 1.1.3 Through Debian Backports
Moin! John Clizbe writes: > Patrick R McDonald wrote: >> I would like to upgrade my sks on Debian Squeeze from 1.1.1 to 1.1.3 >> using Debian backports. Is there anything of which I need to be aware >> when making this upgrade? > > if your 1.1.3 is linked with the same version of Berkeley DB as your 1.1.1, > there should be little to worry about. Which is exactly the reason dkg made sure both (1.1.1 in squeeze and the 1.1.3 in squeeze-backports) are at the same bdb version ;-) Christoph ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] status pages on sks-keyservers.net
Michael Nausch writes: > - RProx??? whats that? reverseproxy? Jep > - Port 80 it's colord false with red, 'cause you can reach my server > http://keyserver.nausch.org as you can reach it as > http://keyserver.nausch.org:11371 It's the pool. Does it work with http://pool.sks-keyservers.net/? if not your port80 support is irrelevant for the pool. > - hkps it's colord false with red, 'cause you can reach my server > https://keyserver.nausch.org with root-certificates > from http://www.cacert.org/index.php?id=3 Does it work on https://pool.sks-keyservers.net/? With a certificate that is valid for that? There's even instructions on how to get such a certificate. If your certificate is not valid for the pool site your hkps support is irrelevant for the sks pool. Christoph PS: There's some *.pool.sks-keyservers.net you wnat to support also ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] keyserver.siccegge.de getting dynamic IP soon
Hi all! Due to changes at the location the keyserver is hostet, I'll have to use dynamic IP addresses for now (IPv4 only, the v6 address stays static). I might be able to give it static addresses again in the future but for now I'll have to dael with changing addresses. Regards Christoph pgpwILHzVnZtH.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] seeking peers for sks.ecks.ca
Hallo Ronny Ronny Wagner writes: > Der Inhalt dieser E-Mail ist vertraulich. Falls Sie nicht der > angegebene Empfänger sind oder falls diese E-Mail irrtümlich an Sie > adressiert wurde, verständigen Sie bitte sofort den Absender und > löschen danach die E-Mail. Das unerlaubte Kopieren sowie die unbefugte > Übermittlung sind nicht gestattet. Die Sicherheit von Übermittlungen > per E-Mail kann nicht garantiert werden. Falls Sie eine Bestätigung > wünschen, fordern Sie bitte den Inhalt der E-Mail als Hardcopy an. > > This e-mail may contain confidential and/or privileged information. If > you are not the intended recipient (or have received this e-mail in > error) please notify the sender immediately and destroy this > e-mail. Any unauthorized copying, disclosure or distribution of the > material in this e-mail is strictly forbidden. As I am not the maintainer of sks.ecks.ca I assume the mail reached my inbox accidentally -- maybe through the sks mailinglist? Of course I have followed the instructions and instantly deleted the copy that reached my machine and am notifying you now! Christoph ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Wrong key fetched?
John Clizbe writes: > Christoph Egger wrote: >> Something weird happening when fetching 0xE33EC63DF983 -- it gets >> 0x9CDF568F which doesn't even have a subkey called 0xE33EC63DF983 as >> far as I can see. Anyone knows what's going on? >> >> Regards >> >> Christoph >> > It's a subkey according to a verbose index... > http://keyserver.gingerbear.net:11371/pks/lookup?search=0xE33EC63DF983&fingerprint=on&op=vindex Hm now that makes me wonder by the subkey is not displayed by gpg --fingerprint while it does show all different subkeys on my key pgpaRi3dCHZZ9.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Wrong key fetched?
Hi! Something weird happening when fetching 0xE33EC63DF983 -- it gets 0x9CDF568F which doesn't even have a subkey called 0xE33EC63DF983 as far as I can see. Anyone knows what's going on? Regards Christoph christoph@mitoraj {3} ~ 11:07 0 % gpg --recv-keys 0xE33EC63DF983 gpg: requesting key CC3DF983 from hkp server keyserver.siccegge.de gpg: key 9CDF568F: public key "SMARTDATA Software " imported gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 130 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: depth: 1 valid: 130 signed: 290 trust: 130-, 0q, 0n, 0m, 0f, 0u gpg: next trustdb check due at 2013-02-03 gpg: Total number processed: 1 gpg: imported: 1 christoph@mitoraj {3} ~ 11:08 0 % gpg --fingerprint 9CDF568F pub 1024D/9CDF568F 2001-06-15 Key fingerprint = 80CD 203E A7AE 87BE 6F5E 28D9 E9A0 CB76 9CDF 568F uid SMARTDATA Software uid SMARTDATA sub 2048g/7B8716C1 2001-06-15 -- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] warning about keyserver problems
Hi! Christoph Egger writes: > as your script is already tracking the status of keyservers on the > web, maybe it would be possible to send the administrator a mail every > time the keyserver drops out of the pool due to problems? Seems > keyservers have the tendency to actually fail after running for some > time and need kicking. I also noticed it's currently OK for a keyserver to be out-of-date by several days before getting kicked from the pool. is this desired or should we have a stricter delta limit? Christoph pgpur2Op6Qja4.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] warning about keyserver problems
Hi! as your script is already tracking the status of keyservers on the web, maybe it would be possible to send the administrator a mail every time the keyserver drops out of the pool due to problems? Seems keyservers have the tendency to actually fail after running for some time and need kicking. Regards Christoph ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] WOT file
Hi all! I hacked on pks2wot.py and created a .wot file using the current state of my keyserver (keyserver.siccegge.de) [0]. I'm currently thinking of wether running a weekly export would be usefull to others. I'll also clean up the hack and publish the code once I find time. If there are any problems with the generated .wot I'd like to hear about. Regards Christoph [0] http://www.sieglitzhof.net/~christoph/test.wot ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] seeking peers for pgp.jjim.de (Germany, DUS)
Hi! "Joel Garske (ML)" writes: > pgp.jjim.de 11370 # Joel Garske 0xA921EB20 I've just added you to my membership file, please also add my keyserver to yours: keyserver.siccegge.de 11370 # Christoph Egger 0xD49AE731 It is located in Erlangen Grüße Christoph pgpordRpJ722E.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Changed IPv6 Adress for keyserver.siccegge.de
Hi! The IPv6 Address for keyserver.siccegge.de has changed (it's now 2001:a60:f01c:0:42::1). IPv4 addresses are still the same. Regards Christoph pgpxTWd2Djxam.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] keyserver.siccegge.de downtime
Hi all! Christoph Egger writes: > Due to random hangs I've stopped sks on keyserver.siccegge.de for now > which seems to improve things a bit (I'd bet on network stack). Will be > back after debugging stuff a bit / replacing hardware. It's currently back online. Might just have been a loose LAN cable. I'll assume this cause if it continues running now. Regards Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] keyserver.siccegge.de downtime
Hi! Due to random hangs I've stopped sks on keyserver.siccegge.de for now which seems to improve things a bit (I'd bet on network stack). Will be back after debugging stuff a bit / replacing hardware. Regards Christop -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer pgpWiMinXgr2F.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] SKS debian package
virii writes: > On 07/11/2012 05:56 PM, Marco Nenciarini wrote: >> Il giorno mer, 11/07/2012 alle 17.34 +0200, virii ha scritto: >>> Hi @ all >>> >>> Are there some news 'bout an updated SKS debian package for the repos? >>> >> >> Are you talking about a backport of the package currently in unstable? >> >> Ciao, >> Marco >> > > Best would be a stable package. Latest version you can get via the > stable repo is 1.1.1 You won't ever possibly get new versionss through stable repositories apart from new stable releases. that's the whole point to do a stable branch at all. It's possible to have a backports package for stable systems which may very well soon start to exist if someone does the actual work + testing. There's a up-to-date 1.1.3 package in testing/unstable. Regards Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Why is keyserver.siccegge.de not in Port80 pool?
Hi! Kristian Fiskerstrand writes: > On 2012-07-06 11:03, Christoph Egger wrote: >> Hi! >> >> I noticed keyserver.siccegge.de is not in the port80 pool. However I >> can get the status page over port80 and >> >> gpg --keyserver hkp://keyserver.siccegge.de:80/ --recv-keys $KEYID >> >> both works on IPv4 only hosts and IPv6 enabled systems. > Hi Christoph, > > Are you sure your system is properly set up to handle the virtual hosts? > It can't be included in the pool unless it respond to all the pool Host > headers (and preferably the IP directly without any host header at all) Of course! vhosts work for `keyserver.siccegge.de' but I didn't think of adding the relevant stuff for the pools. Thanks for the hint, fixing now! Regards Christoph ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Why is keyserver.siccegge.de not in Port80 pool?
Hi! I noticed keyserver.siccegge.de is not in the port80 pool. However I can get the status page over port80 and gpg --keyserver hkp://keyserver.siccegge.de:80/ --recv-keys $KEYID both works on IPv4 only hosts and IPv6 enabled systems. Regards Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] DisUnitedStates.com down; Re: DB_ENV->set_lk_detect: unknown deadlock detection mode specified
Hi! Daniel Kahn Gillmor writes: >> Backports of newer Berkeley DB "work" too, and likely >> have some other usage cases than SKS because of bdb+sqlite3 API. > > right, this is one other path i considered, but i don't really want to > have to maintain a bdb backport for the remaining lifetime of squeeze. > maintaining an sks backport is sufficient for me :) > > OTOH, if someone else is eager to responsibly maintain a bdb backport, > i'd be happy to make the sks backport rely on it. Any takers? You could also continue using the 4.6 for the 1.1.3 backport also in use by 1.1.1 removing the need for one of the upgrades. This shouldn't be much trouble on the backports package side. I was nearly doing so for my local "let's try to build the unstable package on stable". Regards Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] DisUnitedStates.com down; Re: DB_ENV->set_lk_detect: unknown deadlock detection mode specified
Hi! John Clizbe writes: > David Benfell wrote: >> On 06/25/12 01:15, John Clizbe wrote: > FWIW, I believe the current debian package for 1.1.3 is using 4.7 The 1.1.1 package in stable is at 4.7. The 1.1.3 in unstable uses 5.1 and the backported sks 1.1.3 in stable-backports will be using 4.8 just to add to the confusion ;-) Regards Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] unable to allocate memory for mutex; resize mutex region [was: Re: Min. Requirement for SKS Version in the Pool]
Hi! Daniel Kahn Gillmor writes: > On 06/25/2012 01:50 AM, Christoph Egger wrote: >> Daniel Kahn Gillmor writes: >>> On 06/25/2012 12:44 AM, Kristian Fiskerstrand wrote: >>>> Please let me know if we should push the timeline some for the 1.1.2 >>>> minimum to get more time for testing, as originally stated my primary goal >>>> is getting to 1.1.3, so this shouldn't necessarily affect too much, we can >>>> still keep that at August 1. >>> Error fetching uid during VIndex for keyid 0x29BE5D2268FD549F: >>> Bdb.DBError("unable to allocate memory for mutex; resize mutex region") >> >> the 65536 mutex count wasn't enough to stand a gpg --refresh-keys on a >> ~1k keys pubring here with a (probably) similarly backported package as >> I still ran into this error so please test also "heavy" load ;-) > > Testing with a large keyring refresh now, thanks for the suggestion. > > Is your test package running behind a reverse proxy, as recommended at: > > http://lists.nongnu.org/archive/html/sks-devel/2012-03/msg6.html Jep it's behind a nginx instance (keyserver.siccegge.de) Regards CHristoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Min. Requirement for SKS Version in the Pool
Hi! Daniel Kahn Gillmor writes: > On 06/25/2012 12:44 AM, Kristian Fiskerstrand wrote: >> Please let me know if we should push the timeline some for the 1.1.2 minimum >> to get more time for testing, as originally stated my primary goal is >> getting to 1.1.3, so this shouldn't necessarily affect too much, we can >> still keep that at August 1. > Error fetching uid during VIndex for keyid 0x29BE5D2268FD549F: > Bdb.DBError("unable to allocate memory for mutex; resize mutex region") the 65536 mutex count wasn't enough to stand a gpg --refresh-keys on a ~1k keys pubring here with a (probably) similarly backported package as I still ran into this error so please test also "heavy" load ;-) Regards Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Issue Importing Database Dump (Dents in my forehead)
Hi! John Clizbe writes: > I've never exceeded an inuse mutex count of ~42k, you shouldn't need that high > of a number either. Tunables in DB_Config won't help you on build, the BDB env > isn't created until 'sks clean'. Likewise the environment isn't created in > PTree until it's used after 'sks pbuild'. FWIW I had to increase it beyond the 65536 (it's now at 98304) to get back to a reasoably working sks after upgrading from bdb 4.7 / sks 1.1.1 to bdb 4.8 / sks 1.1.3 in "normal" operation Regards Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer pgpmb9dponMG5.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Pool for port-80 reachable keyservers?
Hi! I was talking with some folks at a GPG crashcourse / Keysigning event last week where I was asked for a pool cointaining only keyservers reachable through standard HTTP(s) ports (usefull for example behind restrictive firewalls). As far as I know no such pool exists but maybe one could be created? (though checking if port 80 is open isn't enough to see if the keyserver supports port 80 -- it could deliver a completely different site there) Regards Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] peering broken for keyservers using reverse-proxies?
Hi! Recently I started to see failures in my recon.log: 2012-04-04 23:35:59 Error getting missing keys: Failure("") 2012-04-05 00:57:10 Error getting missing keys: Failure("\r") Interestingly all peers I'm seeing this kind of failure are marked as using reverse-proxies on http://sks-keyservers.net/status/ -- is this setup in some way broken? Regards Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer pgpI33DCAnSrK.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Are IPv6-only keyservers acceptable in the pool?
Andrey Korobkov writes: > That's good :) > So, that was because SKS was listening on IPv4. > > But what about: > 2011-04-07 00:57:02 Recon partner: [2001:a60:f01c:0:70:1:6:42]:11370> > 2011-04-07 00:57:03 Initiating reconciliation > 2011-04-07 00:57:05 error in callback.: > Sys_error("Connection reset by peer") > > What does it mean? Probably 2011-04-06 22:57:05 Reconciliation attempt from while gossip disabled. Ignoring. Which I guess is happening when your server is contacting mine while mine is currently getting updates from another server. You should probably be able to get through next time (or maybe right now looking at my logs) Regards Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer A. Because it breaks the logical sequence of discussion Q. Why is top posting bad? pgp9SXbc3DdPz.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Are IPv6-only keyservers acceptable in the pool?
Andrey Korobkov writes: > One more problem with IPv6 peering: > > 2011-04-07 00:23:44 address for keyserver.siccegge.de:11370 changed > from [] to [, [212 > .114.250.148]:11370>, ] > 2011-04-07 00:23:44 address for keyserver.serviz.fr:11370 changed from > [] to [, [46.4.13 > 9.47]:11370>] > 2011-04-07 00:24:44 Recon partner: > 2011-04-07 00:24:44 error in callback.: Unix error: > Invalid argument - connect() > 2011-04-07 00:25:44 Recon partner: > 2011-04-07 00:25:44 error in callback.: Unix error: Invalid > argument - connect() > > Seems, that SKS uses IPv4 address for peering... Strange. > May be, it's because my SKS itself is listening on 127.0.0.1 and > reverse-proxied via nginx? > What about your servers? Does IPv6-IPv6 peering work in such case > (dual-stack)? works here: 2011-04-06 22:52:02 Requesting 30 missing keys from , starting with 4D852FC7D971194E481017D2D7D3AC65 2011-04-06 22:52:05 30 keys received Regards Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer A. Because it breaks the logical sequence of discussion Q. Why is top posting bad? pgprkxUqReQWm.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Are IPv6-only keyservers acceptable in the pool?
Андрей Коробков writes: > I'm using btrfs on server and reiserfs on desktop. May be, BDB do some > very-low level things?... Is one of them 64 bit and the other 32 bit? If so that'll break. If the server is 32bit you could build it on your desktop using a 32bit chroot environment. > After more than 24 hours no visible progress at n=1 (RAM=256 Mb)... :( For building on the server it was necessary to turn down some parameters to the import run for my keyserver ( -n 10 -> something smaller in sks_build.sh) Regards Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer A. Because it breaks the logical sequence of discussion Q. Why is top posting bad? pgpIcIqaevu0s.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Are IPv6-only keyservers acceptable in the pool?
Андрей Коробков writes: > > The only problem is to have such a huge key database being built from dump > on my memory-limited 32-bit home server. When I tried to do the thing on my > 64-bit desktop > and then copy the DB files to server, SKS didn't want to start because of > something like > "__db.003 environment not found". May be, these DB files are > architecture-specific and binary > incompatible between i686 and x86_64? > Can I do something other than just sit and wait it for build? > These db files are incompatible between basically everything. Even using 32bit Little Endian / i386 built ones on 32bit little endian mipsel fails ;) Regards Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer A. Because it breaks the logical sequence of discussion Q. Why is top posting bad? pgp8GLK6I4yXv.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Are IPv6-only keyservers acceptable in the pool?
Hi! Андрей Коробков writes: > I want to set up keyserver, but it's only IPv6. > Would you accept it in the pool? I don't see any reason to reject such a keyserver and would peer with you as soon as yours is up! Regards Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer A. Because it breaks the logical sequence of discussion Q. Why is top posting bad? pgpcoS9QdiX5w.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problem with Debian squeeze
"Kiss Gabor (Bitman)" writes: > /etc/cron.daily/sks: > db4.7_archive: Program version 4.7 doesn't match environment version 4.6 > db4.7_archive: DB_ENV->open: DB_VERSION_MISMATCH: Database environment > version mismatch > run-parts: /etc/cron.daily/sks exited with return code 1 % gunzip -c /usr/share/doc/sks/NEWS.Debian.gz sks (1.1.1+dpkgv3-1) unstable; urgency=high *** NOTE *** sks now uses a different BerkelyDB version. You need to upgrade your database prior to starting sks. Please read README.Debian for instructions -- Christoph Martin Wed, 25 Aug 2010 17:55:07 +0200 /usr/share/doc/sks/README.Debian If you have an old database from a Berkely DB Version (e.g 4.6) prior to the current version (at the moment 4.7) you have to do the following in /var/lib/sks/DB and /var/lib/sks/PTree: db4.6_checkpoint -1 db4.6_recover db4.7_recover -e db4.7_checkpoint -1 db4.7_archive | xargs --no-run-if-empty rm -f chown -R debian-sks:debian-sks /var/lib/sks /var/log/sks Regards Christoph ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Re: seeking peers for keyserver.siccegge.de
Hi! Hauke Lampe writes: > On 12.10.2010 00:23, Christoph Egger wrote: > >> After some more fiddling the firewall's now fine with IPv4 gossip > > One problem remains: > >> Requesting 1 missing keys from , starting >> with C11C28AEA21E0CBF4960BC150B2D62DC >> Error getting missing keys: Failure("> HTML 2.0//EN\">") > > The problem here is that sks hash queries don't behave well. > The server sends a simple "POST /pks/hashquery" without "HTTP/x.x". Thanks for letting me know. Fixed now. Regards Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer A. Because it breaks the logical sequence of discussion Q. Why is top posting bad? pgpcfbMp3i5oJ.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] seeking peers for keyserver.siccegge.de
Hi again! Christoph Egger writes: > I am running SKS version 1.1.1, on keyserver.siccegge.de. > > The server is physically located in Germany (Erlangen) (EU). > The machine has IPv6 connectivity. > > keyserver.siccegge.de 11370 # Christoph Egger > 0xD49AE731 After some more fiddling the firewall's now fine with IPv4 gossip forunately and my keyserver has caught up with the rest of the net it seems. I had to decrease some parameters (e.g. http_max_fetch_size) to make it work properly. A huge *thanks* for all the fast responses. Regards Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer A. Because it breaks the logical sequence of discussion Q. Why is top posting bad? pgpAjeGtUjppW.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] seeking peers for keyserver.siccegge.de
Christoph Egger writes: > Hi! > > Gaudenz Steinlin writes: >> Hi Christoph >> >> I would like to peer with your server but I can currently not connect >> to it on IPv4. It works on IPv6 though. Is this intentional? > > No it's not intentional -- but well possible. I'll have to recheck > the firewalling stuff here. Alright was some trouble in the firewall. can you please check again? Thanks Christoph >>> keyserver.siccegge.de 11370 # Christoph Egger >>> pgpO7a18TcxO1.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] seeking peers for keyserver.siccegge.de
Hi! Gaudenz Steinlin writes: > Hi Christoph > > I would like to peer with your server but I can currently not connect > to it on IPv4. It works on IPv6 though. Is this intentional? No it's not intentional -- but well possible. I'll have to recheck the firewalling stuff here. Regards Christoph >> keyserver.siccegge.de 11370 # Christoph Egger > 0xD49AE731 -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer A. Because it breaks the logical sequence of discussion Q. Why is top posting bad? pgpdlAMY2QuNf.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] seeking peers for keyserver.siccegge.de
Hi! I am looking for peers for a new SKS keyserver installation. I am running SKS version 1.1.1, on keyserver.siccegge.de. The server is physically located in Germany (Erlangen) (EU). The machine has IPv6 connectivity. I've imported a dump from October 06. I see 2868900 keys loaded. For operational issues, please contact me directly. keyserver.siccegge.de 11370 # Christoph Egger pgp3znj5USLPW.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel