From: Petter Reinholdtsen <pere@hungry.com>
Date: Wed, 10 Sep 2014 11:09:10 +0000 (+0200)
Subject: New post.
X-Git-Url: http://pere.pagekite.me/gitweb/homepage.git/commitdiff_plain/71d699bfe812a6abf0336106650478318f8a4098

New post.
---

diff --git a/blog/data/2014-09-10-gnupg-sks-keyservers.txt b/blog/data/2014-09-10-gnupg-sks-keyservers.txt
new file mode 100644
index 0000000000..9931e6f318
--- /dev/null
+++ b/blog/data/2014-09-10-gnupg-sks-keyservers.txt
@@ -0,0 +1,53 @@
+Title: Good bye subkeys.pgp.net, welcome pool.sks-keyservers.net
+Tags: english, debian, personvern, sikkerhet
+Date: 2014-09-10 13:10
+
+<p>Yesterday, I had the pleasure of attending a talk with the
+<a href="http://www.nuug.no/">Norwegian Unix User Group</a> about
+<a href="http://www.nuug.no/aktiviteter/20140909-sks-keyservers/">the
+OpenPGP keyserver pool sks-keyservers.net</a>, and was very happy to
+learn that there is a large set of publicly available key servers to
+use when looking for peoples public key.  So far I have used
+subkeys.pgp.net, and some times wwwkeys.nl.pgp.net when the former
+were misbehaving, but those days are ended.  The servers I have used
+up until yesterday have been slow and some times unavailable.  I hope
+those problems are gone now.</p>
+
+<p>Behind the round robin DNS entry of the
+<a href="https://sks-keyservers.net/">sks-keyservers.net</a> service
+there is a pool of more than 100 keyservers which are checked every
+day to ensure they are well connected and up to date.  It must be
+better than what I have used so far. :)</p>
+
+<p>Yesterdays speaker told me that the service is the default
+keyserver provided by the default configuration in GnuPG, but this do
+not seem to be used in Debian.  Perhaps it should?</p>
+
+<p>Anyway, I've updated my ~/.gnupg/options file to now include this
+line:</p>
+
+<p><blockquote><pre>
+keyserver pool.sks-keyservers.net
+</pre></blockquote></p>
+
+<p>With GnuPG version 2 one can also locate the keyserver using SRV
+entries in DNS.  Just for fun, I did just that at work, so now every
+user of GnuPG at the University of Oslo should find a OpenGPG
+keyserver automatically should their need it:</p>
+
+<p><blockquote><pre>
+% host -t srv _pgpkey-http._tcp.uio.no
+_pgpkey-http._tcp.uio.no has SRV record 0 100 11371 pool.sks-keyservers.net.
+%
+</pre></blockquote></p>
+
+<p>Now if only
+<a href="http://ietfreport.isoc.org/idref/draft-shaw-openpgp-hkp/">the
+HKP lookup protocol</a> supported finding signature paths, I would be
+very happy.  It can look up a given key or search for a user ID, but I
+normally do not want that, but to find a trust path from my key to
+another key.  Given a user ID or key ID, I would like to find (and
+download) the keys representing a signature path from my key to the
+key in question, to be able to get a trust path between the two keys.
+This is as far as I can tell not possible today.  Perhaps something
+for a future version of the protocol?</p>