searching for keys

Pete Stephenson pete at heypete.com
Sun Jul 14 12:08:27 CEST 2013 

On Sun, Jul 14, 2013 at 9:46 AM, kardan <kardan at riseup.net> wrote:
> Thanks for the inspection! From my limited view I can not say what
> makes a keyserver legitmate. This is what whois says for me
>
>    Domain Name: SKS-KEYSERVERS.NET
>    Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
>    Whois Server: whois.PublicDomainRegistry.com
>    Referral URL: http://www.PublicDomainRegistry.com
>    Name Server: NS1.KFWEBS.NET
>    Name Server: NS10.SKS-KEYSERVERS.NET
>    Name Server: NS11.SKS-KEYSERVERS.NET
>    Name Server: NS12.SKS-KEYSERVERS.NET
>    Name Server: NS13.SKS-KEYSERVERS.NET
>    Name Server: NS6.SKS-KEYSERVERS.NET
>    Status: clientTransferProhibited
>    Updated Date: 17-feb-2013
>    Creation Date: 01-dec-2006
>    Expiration Date: 01-dec-2015

Did you follow the referral and query whois.publicdomainregistry.com
to get the more detailed information about the domain? For example,
http://smartwhois.com/whois/SKS-KEYSERVERS.NET will follow the
referral and yields the registrant's contact information (which I will
not include here).

> Searching for the owner via gpg brings different results without
> success. I assume the pool is not that well mantained?

I searched for the registrant of sks-keyservers.net on the keyservers
and found two current, valid public keys for them: a 4096-bit RSA key
signed by lots of people (0x6B0B9508) and a 15,360-bit(!) RSA key with
only a self-sig (0x43E67CF7).

My understanding is that the pool and the SKS keyserver software it
runs is well-maintained. http://www.sks-keyservers.net/status/ shows
53 active servers in the pool.

> * Connected to pool.sks-keyservers.net (198.82.169.69) port 443 (#0)
> * found 1 certificates
> in /etc/ssl/certs/hkps.pool.sks-keyservers.net.pem
> * server certificate verification failed.
> CAfile: /etc/ssl/certs/hkps.pool.sks-keyservers.net.pem CRLfile: none

Interesting. According to
http://www.sks-keyservers.net/overview-of-pools.php (see the very
bottom), the pool uses its own CA to sign server certs for HKPS
servers it lists. Server certificates for pool servers are signed by
the pool CA. If the certificate in
/etc/ssl/certs/hkps.pool.sks-keyservers.net.pem is a server cert for
one specific HKPS server in the pool, you will get certificate errors
when you query other servers in the pool (as they each have their own
unique certificate).

They pool CA certificate is available at
https://sks-keyservers.net/sks-keyservers.netCA.pem

Do you have GnuPG configured to use the CA certificate for the pool?
It looks like you're telling GnuPG to use one particular server
certificate as the CA, which won't work.

When I downloaded the pool CA and performed a key search over HKPS as follows,

$ gpg2 --search --keyserver hkps://hkps.pool.sks-keyservers.net
--keyserver-options ca-cert-file=./sks-keyservers.netCA.pem 0xDA122186

everything works as expected. (0xDA122186 is the KeyID for one of my own keys.)

You can also specify the ca-cert-file in your config file:

~/.gnupg/gpg.conf:
  keyserver hkps://hkps.pool.sks-keyservers.net
  keyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem

The PEM certificate you mentioned,

> SSL certificate for hkps.pool.sks-keyservers.net:
>
> -----BEGIN CERTIFICATE-----
> MIIGkzCCBXugAwIBAgIDCsjWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
[snip]

Appears to have been issued by StartSSL, a well-known CA, and has not
been signed by the pool CA. The key is issued with a
CN=www.secretresearchfacility.com. There is a pool key server running
under that domain, keyserver.secretresearchfacility.com, but it's
running on a server that uses SNI to use multiple SSL certificates on
a single server.

GnuPG appears to support SNI and so works correctly (gpg2 --search
--keyserver hkps://keyserver.secretresearchfacility.com
--keyserver-options ca-cert-file=./sks-keyservers.netCA.pem 0xDA122186
 works properly) but does curl? If not, curl would not specify the
correct hostname it's looking for and the server (which doesn't know
what hostname the client wants) would present its default CA, which is
the StartSSL-issued one.

Cheers!
-Pete

-- 
Pete Stephenson

More information about the Gnupg-users mailing list