blog/data/2014-09-10-gnupg-sks-keyservers.txt

   1 Title: Good bye subkeys.pgp.net, welcome pool.sks-keyservers.net
   2 Tags: english, debian, personvern, sikkerhet
   3 Date: 2014-09-10 13:10
   4
   5 <p>Yesterday, I had the pleasure of attending a talk with the
   6 <a href="http://www.nuug.no/">Norwegian Unix User Group</a> about
   7 <a href="http://www.nuug.no/aktiviteter/20140909-sks-keyservers/">the
   8 OpenPGP keyserver pool sks-keyservers.net</a>, and was very happy to
   9 learn that there is a large set of publicly available key servers to
  10 use when looking for peoples public key.  So far I have used
  11 subkeys.pgp.net, and some times wwwkeys.nl.pgp.net when the former
  12 were misbehaving, but those days are ended.  The servers I have used
  13 up until yesterday have been slow and some times unavailable.  I hope
  14 those problems are gone now.</p>
  15
  16 <p>Behind the round robin DNS entry of the
  17 <a href="https://sks-keyservers.net/">sks-keyservers.net</a> service
  18 there is a pool of more than 100 keyservers which are checked every
  19 day to ensure they are well connected and up to date.  It must be
  20 better than what I have used so far. :)</p>
  21
  22 <p>Yesterdays speaker told me that the service is the default
  23 keyserver provided by the default configuration in GnuPG, but this do
  24 not seem to be used in Debian.  Perhaps it should?</p>
  25
  26 <p>Anyway, I've updated my ~/.gnupg/options file to now include this
  27 line:</p>
  28
  29 <p><blockquote><pre>
  30 keyserver pool.sks-keyservers.net
  31 </pre></blockquote></p>
  32
  33 <p>With GnuPG version 2 one can also locate the keyserver using SRV
  34 entries in DNS.  Just for fun, I did just that at work, so now every
  35 user of GnuPG at the University of Oslo should find a OpenGPG
  36 keyserver automatically should their need it:</p>
  37
  38 <p><blockquote><pre>
  39 % host -t srv _pgpkey-http._tcp.uio.no
  40 _pgpkey-http._tcp.uio.no has SRV record 0 100 11371 pool.sks-keyservers.net.
  41 %
  42 </pre></blockquote></p>
  43
  44 <p>Now if only
  45 <a href="http://ietfreport.isoc.org/idref/draft-shaw-openpgp-hkp/">the
  46 HKP lookup protocol</a> supported finding signature paths, I would be
  47 very happy.  It can look up a given key or search for a user ID, but I
  48 normally do not want that, but to find a trust path from my key to
  49 another key.  Given a user ID or key ID, I would like to find (and
  50 download) the keys representing a signature path from my key to the
  51 key in question, to be able to get a trust path between the two keys.
  52 This is as far as I can tell not possible today.  Perhaps something
  53 for a future version of the protocol?</p>