Re: [openpgp] key distribition and IETF document status
Paul Wouters <paul@nohats.ca> Mon, 27 July 2015 12:43 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D02F1B2CB2; Mon, 27 Jul 2015 05:43:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vpqHQ5YSQqi4; Mon, 27 Jul 2015 05:43:31 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6646B1B2CD1; Mon, 27 Jul 2015 05:43:31 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3mg15X6r3CzDCl; Mon, 27 Jul 2015 14:43:28 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=VLrzlacm
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id SycHWEtnp6bx; Mon, 27 Jul 2015 14:43:26 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 27 Jul 2015 14:43:26 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 6D287800AD; Mon, 27 Jul 2015 08:43:25 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1438001005; bh=YioIGapDPO7ZEYDV4NIK2MOFVnKE7zy0GLwuxwhUALI=; h=Date:From:To:cc:Subject; b=VLrzlacmf9pB9fsJmLrlIKId2nLkHFTEvTyLVO6cM250+3QGBySoGZjkQPyu3ZyGf chIORak3yw6Lt8+4dp5YAgsdrW/E2shq+r6lp/SkfK/xBnckVWHX4wpfQTO1qLlg/g OQvFT19ljSGwmYIxinxSCFF56g/Een1EvCja++sI=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.1/8.15.1/Submit) with ESMTP id t6RChOSp030088; Mon, 27 Jul 2015 08:43:25 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Mon, 27 Jul 2015 08:43:24 -0400
From: Paul Wouters <paul@nohats.ca>
To: Werner Koch <wk@gnupg.org>
Message-ID: <alpine.LFD.2.11.1507270820230.22806@bofh.nohats.ca>
User-Agent: Alpine 2.11 (LFD 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/acJMbfrxbo-j_dW9_BQFxYOEOXk>
Cc: IETF OpenPGP <openpgp@ietf.org>, dane WG list <dane@ietf.org>
Subject: Re: [openpgp] key distribition and IETF document status
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2015 12:43:35 -0000
On Mon, 27 Jul 2015, Werner Koch wrote: >> I also find it _really_ ironic that it is not the openpgp key servers >> that you are calling "vast, aging and vaguely understood infrastructure" >> because if anything is a dangerous misunderstood mess that we cannot >> seem to clean up, it is the current electronic garbage heap of pgp >> keys we can never clean up because the owners lost their keys or > > We do not want to clean that up - there is and should be no need to ever > delete a public key from a public server. Then you really need better tools that filter out bogus and older keys, if this has to work for average users. One of my old keys uses idea which most people couldn't even use if they fetched the older instead of newer key. >> the keys were generated and uploaded by those not actually being the >> real owners of those email address specified in the openpgp key id. > > What is an "owner" of a mail address? Definitely nothing a keyserver > has to decide. right. But at least with DNSSEC, at this moment, you know that no one can publish OPENPGPKEY records for paul@nohats.ca except those who run nohats.ca. That's already a lot more pinned down then the current key servers. If you say people can manually pick out the latest key to avoid using my old expired or forgotten keys, than it makes people more vulnerable to recently added bogus keys by others. Which is why I think this is the worst distribution/discovery mechanism. >> And this is an actual real problem. There is no valid reason for needing >> to "work around" an experimental proposal that has a significant backing >> of people in the IETF, the mail community and opensource software > > Experimental? I might be confused but draft-ietf-dane-openpgpkey-03 > states Standards Track and Intended Status. I will double check with the chairs what conclusion was reached on this. I thought at the ietf92 in Dallas it was thought to become Experimental. > Nope. As I menotioned: distribution is not the problem. > Huh? The main pool currently as 105 active servers; 108 are not > currently qualified due to operation problems or not enough sync sites. > See > > https://sks-keyservers.net/status/ > > pgp.mit.edu is just fine if you don't mind that it runs only on legacy > IP. There might be 100 of those, but those using the tools can't just let the tools find them, so if I'm on the wrong side of the Great Firewall, the only names I know of servers to use would be pgp.mit.edu, keys.pgpi.net (is that still alive even?) or pgp.surfnet.nl. for example, gpg fails: [paul@thinkpad ~]$ gpg --recv-key 0x12345678 gpg: requesting key 0x12345678 from hkp server search.keyserver.net gpgkeys: HTTP fetch error 6: Could not resolve host: search.keyserver.net So from a practical point of view, for newbies there are 0 key servers and for those who were around during Crypto War I, there are two or three key servers. Until today, I had not even heard of sks-keyservers.net, and I'm probably a long term, better than average informed security user. So in my view, distribution is a very big problem the current key servers and tools are not handling well. Note that I checked enigmail and it does seem use pool.sks-keyservers.net (also, apparently it had two different keys with ID 0x12345678) I know John Gilmore also had additional patches for gnupg to assist with keyring discovery in the same LAN, aimed at keysigning parties, but those patches were apparently reject and he has given up on this project. Having been at too many failed key signing parties, that makes me sad. Related pet peeves: you cannot use --recv-key 0x12345678 --keyserver pool.sks-keyservers.net (the order matters) I'm not smart enough to remember if it is --keyserver or --key-server or --keyservers or --key-servers, or --recvkeys or --recv-keys or --recvkey or --recv-key. Some aliases would be really nice here. Paul
- Re: [openpgp] key distribition and IETF document … Paul Wouters
- Re: [openpgp] key distribition and IETF document … Werner Koch