Re: [Sks-devel] Changes to sks-keyservers.net pools
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/11/2014 11:18 PM, Kristian Fiskerstrand wrote: On 05/11/2014 10:43 PM, Kristian Fiskerstrand wrote: On 05/06/2014 02:55 PM, Jeremy T. Bouse wrote: On 05/06/2014 05:08 AM, Kristian Fiskerstrand wrote: Dear lists, Following the release of SKS 1.1.5[0] the following changes will be made to the pools of sks-keyservers.net subset.pool.sks-keyservers.net has been set to a minimum requirement of SKS 1.1.5 with immediate effect. Due to CVE-2014-3207[1] I want to bump hkps.pool.sks-keyservers.net to a requirement of 1.1.5 as this can potentially be in another security context / zone, however I'm giving this a grace period of (at least) 45-60 days to allow server administrators to upgrade their servers. In recognition of package-maintainers backporting the security fixes to older versions of SKS for stable systems I'm revising the latter statement a bit. I have now implemented a test for affected servers instead of relying on the version information. This is currently active, and non-patched servers in the HKPS pool should now show up with an orange flag for the HKPS column. Adding to that, this would also keep servers that are protected due to the reverse proxy configuration remaining. As only one server was left in the HKPS pool that hasn't been updated to fix this issue (or behind a rprox protecting it for it), the procedures have now been activated to discard this server. As of now the HKPS pool should be safe for CVE-2014-3207. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Excellence is not a singular act but a habit. You are what you do repeatedly. (Shaquille O'Neal) -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTnMpkAAoJEPw7F94F4TagbFkP+wXnRmKov3KATlrsLjwb4jTY P2pcUJ6qtj2zTx+5avTainQ2UACQbW7SbufqEguDjrGgS6Uxb+cEeQpgKSG+5CG/ 7uECVtC4z//wbHuNDF3H9gaSwVZW/B4y8XsyS9Ib2+6sJDB5aMmw5vPHzZB56Oy1 hdWMgVfAS4NGYPWrgQOQiYZa6qOdxmftSAuTatP12u2CIiYyeCrVuFwqZEYx9fXD FE/ld98CFbojumknMgtoWO3HRlT/dQdKbaU0ENkg+m26g7fEWp8JECm4sqI/auf/ OGF4/VuZorHvD+liCjCutN7BwhBsHl29Ty0M+JXN5IvfP1Tru+q4Ak5oKxuR+k4j rXAb5BNL+OEei2BMSGo+Ptqnszj92DfIYAy8YQFjgHP89pHsZKM8ySgMWglz+wnD IXMClZkRrqRU/3kE3cFzqMTm6HIknKWQK+ebpuNSikQfemfZ/7f9wWIbAoSM1nhP Fj29Lkxq8qoaWNeNtCZyKLuwBGjQNEwuKE3RRNe8cEHGr9NJQ/jxlU4jxzi30YGv rMOggA+LKRf3DxWY0dzxkWJPGOXfYdCj+k2DkCX9LubhR/jM2LhJvCKgNsOVyuCJ GjD9OT8tV7dEHNHcVM7JdfHSso1xKogQU0x0qrfd0PH8+kO8HH0qGDKSRwbjeZsM PDgQ9b4icGqo6ooDm9pg =AEFb -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Changes to sks-keyservers.net pools
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/12/2014 07:40 AM, Gabor Kiss wrote: In recognition of package-maintainers backporting the security fixes to older versions of SKS for stable systems I'm revising the latter statement a bit. I have now implemented a test for affected servers instead of relying on the version information. This is currently active, and non-patched servers in the HKPS pool should now show up with an orange flag for the HKPS column. Eeerr... I know I speak against myself but keys.niif.hu is waiting for backported 1.1.5 Debian package but it got green flag. Gabor Your reverse proxy is URLencoding the input, so curl http://$1:11371/pks/lookup/undefined1ScRiPtprompt('CVE-2014-3207')/ScRiPt actually gives back /style/headbodyh1Page not found/h1Page not found: /pks/lookup/undefined1%3CScRiPt%3Eprompt('CVE-2014-3207')%3C/ScRiPt%3E/body/html which should not be exploitable. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Carpe noctem Seize the night -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTcOIsAAoJEPw7F94F4TagbMQP/0L0me5+7MaK0lh4gN0GSblZ IrTdeNOz742RuDwLiV5C5Ma/j5Cs+wSLwpSppvuGMTELr7GlzFEx2iQBw5+h8PKX uEbwp8g1dYyjfJEhlbXDQKnQKizQTdf231hRBD3flYAImT8r9TIjsw6+GACMl731 wC32Yqjkx8iTbNOSLZiZP6EJ+5z8z3qfj0Q7EKAUe0DFmQP4bB54SyNgwfWV7+0U r7FtpZLsGJvXSmEF7fAvwhj0R4j1r43IQhxcSjtdrfQ1vlELL1KExgMa4+l+KEHS 68Xp+HpErsR29RyFy8kJPPQLuA1udGEwTtRs+wBfxivT3/MyNI4THC3ViDIwHchI 9Jbl7ryeEKUWht5h6RwSO9G1YhBMEJu1Kl5Rve/zz/qpcnU+N13LLF9fIVVVpxIB ERkFP2eC1c12OMIxehE2/k6XTnYnjp642loPSx5keoKtmndP5K+9MqljtPqOWTXp 932gVqxOLN19j4wZV/wRMMPGAo7ynNlnACR9EixF2aKObFGiEweb+1WmtFv9qQ6d VXmNP2Zo63INbBaX9/IZdJ8Cgbn/rTf4UcdIzfzDoUCR3sEUjSj5DxWU6Lg62OmD u03pc59/BCZL3y1SSs88PxAO1335Zv59FZ+/azlhyMv5dmplALz3xqLAfEkrrcmo fey2KzVU70Q1BpOEhk1B =7B9H -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Changes to sks-keyservers.net pools
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/12/2014 01:34 AM, Jeremy T. Bouse wrote: On 05/11/2014 05:18 PM, Kristian Fiskerstrand wrote: On 05/11/2014 10:43 PM, Kristian Fiskerstrand wrote: On 05/06/2014 02:55 PM, Jeremy T. Bouse wrote: On 05/06/2014 05:08 AM, Kristian Fiskerstrand wrote: Dear lists, Following the release of SKS 1.1.5[0] the following changes will be made to the pools of sks-keyservers.net subset.pool.sks-keyservers.net has been set to a minimum requirement of SKS 1.1.5 with immediate effect. Due to CVE-2014-3207[1] I want to bump hkps.pool.sks-keyservers.net to a requirement of 1.1.5 as this can potentially be in another security context / zone, however I'm giving this a grace period of (at least) 45-60 days to allow server administrators to upgrade their servers. In recognition of package-maintainers backporting the security fixes to older versions of SKS for stable systems I'm revising the latter statement a bit. I have now implemented a test for affected servers instead of relying on the version information. This is currently active, and non-patched servers in the HKPS pool should now show up with an orange flag for the HKPS column. Adding to that, this would also keep servers that are protected due to the reverse proxy configuration remaining. So where are the details on how the reverse proxy can be reconfigured to mitigate this issue until sks is upgraded? Assuming I'm understanding your statement correctly. For apache used as proxy, look into Normally, mod_proxy will canonicalise ProxyPassed URLs. But this may be incompatible with some backends, particularly those that make use of PATH_INFO. The optional nocanon keyword suppresses this, and passes the URL path raw to the backend. Note that may affect the security of your backend, as it removes the normal limited protection against URL-based attacks provided by the proxy. http://httpd.apache.org/docs/trunk/mod/mod_proxy.html#proxypass - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Donec eris sospes, multos numerabis amicos. Tempora si fuerint nubila, solus eris. As long as you are wealthy,you will have many friends. When the tough times come, you will be left alone -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTcOXsAAoJEPw7F94F4TagjFIP/3ed04VbOOUPuacUiS2j64Zy OwEICWpQ5e2uP6ql6u3W8+hOKbF9rsgmqAUp/xDCWtRQuT5GC6ZBmQSctGBVLjiY YkMBXMTl0IITbj3mItLG1V3GWDOKvQn1feOei4CboxU5ASfSvXKF/6yMfGIoBUlM hYOAI5JR2MxCyTGefktth7e9xOmvc8CTgQ+3Qi/KCbzg5HACXLX8ZLnbr1atuRd7 g4dTOwALzwy+dGmILoOjBLukRmsXz4cQI37l3W3NZT0s4XkQgYq0LaSTejNNRNBo M8CjubB1sW2m08UMKr1g06s2tC0XaJsyVW4kqr4yKVdB6UhtVDw81Bm4oPKlchVn 63j8aN6IWipWnBa7dws28lM9xu0/UUuAPPaM4TLCVxhRqTFHbWOWUwGR5r9mvhRc AC4VDzqOkzJu6PTEX02l6MSiNZ69xjaoKaxTo5wdM24QMf6Kl6AfMFywXRJAIrgT RKoEVJhHCg0CzeGiJDaZ/mDICeVPSX+Y3324sZ/ce3uaX/0bIvLHh5FBj876eXXp EE/UyGOojVkkJ+RLbiprT6zgGpJnQQso+li+WG410I7H9+DeOsG7wN30IQl7OGjG hbBs3WwogYNh+4bvinnp/jHQ2bIQt+JGSavPqS2h+63EYVUw8brIY8o8XVw6FBxr SSzwO6wMYuximtuY79oL =psjC -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Changes to sks-keyservers.net pools
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/06/2014 02:55 PM, Jeremy T. Bouse wrote: On 05/06/2014 05:08 AM, Kristian Fiskerstrand wrote: Dear lists, Following the release of SKS 1.1.5[0] the following changes will be made to the pools of sks-keyservers.net subset.pool.sks-keyservers.net has been set to a minimum requirement of SKS 1.1.5 with immediate effect. Due to CVE-2014-3207[1] I want to bump hkps.pool.sks-keyservers.net to a requirement of 1.1.5 as this can potentially be in another security context / zone, however I'm giving this a grace period of (at least) 45-60 days to allow server administrators to upgrade their servers. In recognition of package-maintainers backporting the security fixes to older versions of SKS for stable systems I'm revising the latter statement a bit. I have now implemented a test for affected servers instead of relying on the version information. This is currently active, and non-patched servers in the HKPS pool should now show up with an orange flag for the HKPS column. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Nomina stultorum scribuntur ubique locorum Fools have the habit of writing their names everywhere -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTb+DmAAoJEPw7F94F4TagQXsQAJi/479jLOtlKsihAohC5XcR RQoA6UDhcinCKvIGg5zzMcGd6aY9z2O+yDrGj5AX3k6j5ijEf0uU6Ia+tEj8OeVF j7VpDwdjtT3r78cipRLcvKEPBSHRTtSJ8qQQW7fLG56u8GiRu6ycR+fG/Q1w8o3A wJgvnCjLXnUWDuSLHN31uUQzyoYtACb06oUIGBpZ/gMMImiRSphBsNO7duxH+D3z oqLxgzO/YEj3iyLy6QmE/csC22Ty1dB+ppfC7dTU5LjKbxI0Z8qLw1+/SPWRgPG6 xMgerJLkYPVq99JtRFP7I58o3fEIWJaNAP/1rRgycIzwElDdOezh/VZwVpmLtTXq ha2TefFm2D6h8rdCId5gVbGkpy8GN7FnN5DUqJ3GmdMuev22vzCSpWA7S5B9Xcyk RAFiHvDag0RJC63SMyefOucoOk50wDdJ06pUByMQx5x4j5uCb6XEwozk1jST9uP2 MgWYXaaAv6ftt8Jk8C67f13Uvdbhap2V6pePuDGocLXrTDJr/R9afNEYW6UmaXiN BeRO3OsU55lO5GRUIutf6+RY3Q83EAKa7zO78HEkedebjAJxTEZ5EwxBj+toFwxs IQTre3Ec5y2UY8jlFdLmsTCuT5P8YnQqMjhiWLvrSsgtEno4jt9TbfCxpIfNzlIP 0jpO1kt1GcRn1Z6JUzH5 =TKch -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Changes to sks-keyservers.net pools
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/11/2014 10:43 PM, Kristian Fiskerstrand wrote: On 05/06/2014 02:55 PM, Jeremy T. Bouse wrote: On 05/06/2014 05:08 AM, Kristian Fiskerstrand wrote: Dear lists, Following the release of SKS 1.1.5[0] the following changes will be made to the pools of sks-keyservers.net subset.pool.sks-keyservers.net has been set to a minimum requirement of SKS 1.1.5 with immediate effect. Due to CVE-2014-3207[1] I want to bump hkps.pool.sks-keyservers.net to a requirement of 1.1.5 as this can potentially be in another security context / zone, however I'm giving this a grace period of (at least) 45-60 days to allow server administrators to upgrade their servers. In recognition of package-maintainers backporting the security fixes to older versions of SKS for stable systems I'm revising the latter statement a bit. I have now implemented a test for affected servers instead of relying on the version information. This is currently active, and non-patched servers in the HKPS pool should now show up with an orange flag for the HKPS column. Adding to that, this would also keep servers that are protected due to the reverse proxy configuration remaining. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Ad astra per aspera To the stars through thorns -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTb+k3AAoJEPw7F94F4TagWbIP/RI6lnVk9SqhcXUdPK5yPaHp 1Nd2ab9b9lSR1zr9WXLmjVmULDjSRI9Fi+iWw9N7LbKaLboB+uGfzKZcbNJES9Ar PzWBo7I+K4k/HTYJYxfFdvS8VTmaHN5O5rEz4rm+YtIlM2qWUuju5vxFJ3vsdMvF 6dfXvzcP77/whd9yTQJYHDxZpERC+Eqf203DDHS2tFR6pBxQb9ZWsu9klRVmAkLi bfXEPI2hhfPqon00X0meyPBYJ66hahJvPOLlLAtyIGc3aDpJmQS5nubKb9hahSgf ucjPfMBAl+J47ZVcabnjlCOuVNdfqXSKfryxV14i6RmT5uBmA+6+3JL4f+e0XrNq 6T2LBpyQiGWzC4iSA35dSdpA96S/izHyLMbrHK0YBZ80SglzFE4e9MssM0dG0W5f LxM0uY5Hicym0P91TjGA1n5wQMMPMCXCiivmrqSYkrLRvizVGydX0xlIlg+/9M+N IO0jN2T/yRRMJ5cAiGW6SiUhCottTQjBhxLABR4bDHfaBqC9Ok0Knsqc+In4kd3z QH+Qhs7nhhb2cDXOFXhkUM3+lJi15nzGxFSEZPmjEu5nEeOJV12fOGGjwrnaLvE8 XvDTTRkF4PXFr6hJtIZAx+YeqGDUS1X92+op1CJ+YTRZgySAeAEuTiVY8X25zds5 5VOUYTzUY9PObgBAZBaq =CDWl -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Changes to sks-keyservers.net pools
On 05/11/2014 05:18 PM, Kristian Fiskerstrand wrote: On 05/11/2014 10:43 PM, Kristian Fiskerstrand wrote: On 05/06/2014 02:55 PM, Jeremy T. Bouse wrote: On 05/06/2014 05:08 AM, Kristian Fiskerstrand wrote: Dear lists, Following the release of SKS 1.1.5[0] the following changes will be made to the pools of sks-keyservers.net subset.pool.sks-keyservers.net has been set to a minimum requirement of SKS 1.1.5 with immediate effect. Due to CVE-2014-3207[1] I want to bump hkps.pool.sks-keyservers.net to a requirement of 1.1.5 as this can potentially be in another security context / zone, however I'm giving this a grace period of (at least) 45-60 days to allow server administrators to upgrade their servers. In recognition of package-maintainers backporting the security fixes to older versions of SKS for stable systems I'm revising the latter statement a bit. I have now implemented a test for affected servers instead of relying on the version information. This is currently active, and non-patched servers in the HKPS pool should now show up with an orange flag for the HKPS column. Adding to that, this would also keep servers that are protected due to the reverse proxy configuration remaining. So where are the details on how the reverse proxy can be reconfigured to mitigate this issue until sks is upgraded? Assuming I'm understanding your statement correctly. signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Changes to sks-keyservers.net pools
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In recognition of package-maintainers backporting the security fixes to older versions of SKS for stable systems I'm revising the latter statement a bit. I have now implemented a test for affected servers instead of relying on the version information. This is currently active, and non-patched servers in the HKPS pool should now show up with an orange flag for the HKPS column. Eeerr... I know I speak against myself but keys.niif.hu is waiting for backported 1.1.5 Debian package but it got green flag. Gabor - -- Spider-Pig, Spider-Pig Does whatever a Spider-Pig does. Can he swing from a web? No, he can't, he's a pig. Look out! He is a Spider-Pig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Made with pgp4pine 1.76 iEYEARECAAYFAlNwXskACgkQd2oiOrtquzhTTgCfU1Oq/V9ZP6mBJuP0lPtOVNJE 2AgAn1lb6delhImSyawRunlWfnBgRorV =T+d0 -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Changes to sks-keyservers.net pools
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/06/2014 11:22 PM, Phil Pennock wrote: On 2014-05-06 at 17:53 +0200, Dinko Korunic wrote: IMO delisting is fine as long as there is proper communication involved and people actually are aware that's going on -- I'm sure that not all the SKS administrators read the sks-devel on a daily/weekly basis. For clarity, this becomes: there's a chance that for a window of a couple of weeks, the only SKS administrators who will be in the rarely-used subset pool will be those who read SKS email daily. There's a chance that Kristian's main pool will become a set of servers run only by administrators who check their email at least every 45 days. This being the pool of keyservers which are the default for a number of mainstream clients. Just to further clarify, as stated originally I don't expect to be making any change to the main pool at this time, so it would actually only affect the hkps pool that is expected to be (more) secure due to its TLS-nature. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - I have always wished that my computer would be as easy to use as my telephone. My wish has come true -- I no longer know how to use my telephone (Bjarne Stroustrup, April 1999) -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTamIhAAoJEPw7F94F4TagNxcQALCxRNzTUXFfdrX4+AlEcnX4 ZdImk2DHBr6UACBLQeC9M8FOIpMvr1YoNkioD7xBjIvpMiqGtXj5iZHMSaR9OUNn D0NqbZnFTwWyYmelWqC0I08iePqQubKwfVgI+HB6vVoi2gTqukVOpa4mpfkYhQ8h kmM9pM+vwDDGfBGwy+MvSMnEU/sFBHsQBHfaMAvdhBD+e/qUc6xR0WR9nKbg7+B5 IL4UbyFq2+lusaXaBgMLJOfxv7UFE6Qq8fYv78Bc4L+yTwUXKrm5zwOvtUC9+ro+ s7otyo1AwLAqtreIPkmPhwpMd6knJHeecCd4SXZ5686nRe8JVFRcAIdITCb/rMdz 7esI6wwnBX32cfjXIRkSuyWtR7pyXVmA9+/WBQnrIqsUwABWBECOq4IC2JqqozmD R8/r31LsuSGJILn13bhXxEiuoRLZbwkKuZpQ2aiAtxoG/HQqHmfSWJpMVoHrdZa1 ORF5nI/bFW8QeQ+w1Z0E2uK4ff+WWXPKxJA9Tt9XBWVPsIcf8jEHPUEWQrDU/UDL DpvRtnM76Wu30cYz9D3+O7VZjRj0+JoFkzjgff2uTqRHduOZ1vZ7GzkR1LpN70QS rAwQ2rYVaDgJcLCLNOIgfSRA6E1U7SqXbXvafTuDDuYPbu+qdbp+mx9J2GaV20R7 pbNxxHLA9AijuO9qo02u =vJ/F -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Changes to sks-keyservers.net pools
On 05/06/2014 05:08 AM, Kristian Fiskerstrand wrote: Dear lists, Following the release of SKS 1.1.5[0] the following changes will be made to the pools of sks-keyservers.net subset.pool.sks-keyservers.net has been set to a minimum requirement of SKS 1.1.5 with immediate effect. Due to CVE-2014-3207[1] I want to bump hkps.pool.sks-keyservers.net to a requirement of 1.1.5 as this can potentially be in another security context / zone, however I'm giving this a grace period of (at least) 45-60 days to allow server administrators to upgrade their servers. I'm not making any changes to the main pool at this point. References: [0] http://lists.nongnu.org/archive/html/sks-devel/2014-05/msg00026.html [1] http://www.openwall.com/lists/oss-security/2014/05/01/16 Might I suggest that there be some time given for servers to be upgraded before making this change? My servers run a stable baseline distro but I deploy SKS via backported packaging which hasn't been upgraded and I'm not going to compromise my system and run hand rolled source deployments as all my servers are managed via Puppet. I don't know about other admins but I only deploy software packages and is automated to maintain consistency and remove human error. My server will be remaining at 1.1.4 until the backported package is available to be deployed at which time I'll be able to update the deployed version in my config management and they'll be upgraded. XX: This is not being signed as I don't have my smartcard with my key on it with me today. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Changes to sks-keyservers.net pools
Might I suggest that there be some time given for servers to be upgraded before making this change? My servers run a stable baseline distro but I deploy SKS via backported packaging which hasn't been upgraded and I'm not going to compromise my system and run hand rolled source deployments as all my servers are managed via Puppet. I don't know about other admins but I only deploy software packages and is automated to maintain consistency and remove human error. My server will be remaining at 1.1.4 until the backported package is available to be deployed at which time I'll be able to update the deployed version in my config management and they'll be upgraded. The situation is the same here. But I don't care if our servers is in the pool or not... Gabor -- Virgil Brigman back on the air ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Changes to sks-keyservers.net pools
On 05/06/2014 05:08 AM, Kristian Fiskerstrand wrote: Dear lists, Following the release of SKS 1.1.5[0] the following changes will be made to the pools of sks-keyservers.net subset.pool.sks-keyservers.net has been set to a minimum requirement of SKS 1.1.5 with immediate effect. Due to CVE-2014-3207[1] I want to bump hkps.pool.sks-keyservers.net to a requirement of 1.1.5 as this can potentially be in another security context / zone, however I'm giving this a grace period of (at least) 45-60 days to allow server administrators to upgrade their servers. I'm not making any changes to the main pool at this point. References: [0] http://lists.nongnu.org/archive/html/sks-devel/2014-05/msg00026.html [1] http://www.openwall.com/lists/oss-security/2014/05/01/16 For those that do run Debian... BTS #746626 has been opened as Important and tagged as 'security upstream fixed-upstream' for 1.1.5 so hopefully the maintainer team will get it updated within Jessie soon which will then trigger the BPO for Wheezy. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Changes to sks-keyservers.net pools
On Tue, 6 May 2014 14:58:48 +0200 (CEST), Gabor Kiss ki...@ssg.ki.iif.hu wrote: Might I suggest that there be some time given for servers to be upgraded before making this change? My servers run a stable baseline distro but I deploy SKS via backported packaging which hasn't been upgraded and I'm not going to compromise my system and run hand rolled source deployments as all my servers are managed via Puppet. I don't know about other admins but I only deploy software packages and is automated to maintain consistency and remove human error. My server will be remaining at 1.1.4 until the backported package is available to be deployed at which time I'll be able to update the deployed version in my config management and they'll be upgraded. The situation is the same here. But I don't care if our servers is in the pool or not... Gabor My servers run a stable baseline distro, sks is not a priority . MY server will remaining at 1.1.4 until the backported package is available to be deploye robert ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Changes to sks-keyservers.net pools
On 06.05.2014 11:08, Kristian Fiskerstrand wrote: [...] context / zone, however I'm giving this a grace period of (at least) 45-60 days to allow server administrators to upgrade their servers. I'm not making any changes to the main pool at this point. Hi, If possible, I'd suggest actually *emailing* system administrators (via automated email or with mailing a sks-devel mailing list with a change summary) prior to removing their SKS servers from the pool, given that we both have their emails available, their PGP IDs and what not. IMO delisting is fine as long as there is proper communication involved and people actually are aware that's going on -- I'm sure that not all the SKS administrators read the sks-devel on a daily/weekly basis. Kind regards, D. -- NAME:Dinko.kreator.Korunic DISCLAIMER:Standard.disclaimer.applies ICQ:16965294JAB:kreator...@jabber.orgPGP:0xEA160D0B HOME:http://dkorunic.netQUOTE:Eat.right.stay.fit.and.die.anyway ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Changes to sks-keyservers.net pools
On 2014-05-06 at 17:53 +0200, Dinko Korunic wrote: IMO delisting is fine as long as there is proper communication involved and people actually are aware that's going on -- I'm sure that not all the SKS administrators read the sks-devel on a daily/weekly basis. For clarity, this becomes: there's a chance that for a window of a couple of weeks, the only SKS administrators who will be in the rarely-used subset pool will be those who read SKS email daily. There's a chance that Kristian's main pool will become a set of servers run only by administrators who check their email at least every 45 days. This being the pool of keyservers which are the default for a number of mainstream clients. I'm really not seeing a problem with this. The merits of an individual keyserver being run for its own use are different from the merits of a hostname being used for some pool of keyservers. There is plenty of justification for making sure that the hostname for the predominant pool used by people who don't change their keyserver definition from the default resolves only to servers which are able to get a security update out within 45 days. -Phil ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel