Keyserver/security bug 1447 (and 1446 too)

Kristian Fiskerstrand kristian.fiskerstrand at
Mon Dec 3 12:16:45 CET 2012

Hash: SHA256

On 12/03/2012 02:04 PM, Werner Koch wrote:
> On Mon,  3 Dec 2012 04:55, gnupg-devel at said:


Greetings, just dropping in quickly and saying hi from my vacation in
Russia here.

> What root CA is to be used?  One of the usual PKIX ones or a
> dedicated for the pool or all keyservers?  If the latter, who is in
> charge of creating the certificates?
> Do you demand the servers should use a certificate issued by the
> pool operators (e.g. as Sub CA)?  Or shall they merely use the pool
> name as an alternative server name?

Currently we're testing with a Root CA that can be downloaded from , that is issuing
a cert for the individual server and adding a subjectAltName
corresponding to the hkps pool. [0]

> Why do do you think the pool's name is more trustworthy than the 
> individual server name?  We are still talking about round-robin
> DNS, right?

The way I understand it - whether the specified name is a pool or an
individual server isn't the issue - but rather that further from this
it can be modified in the SRV record which can potentially be
poisoned. As long as no CAs are activated by default this will be less
of an issue (as the cert check should fail), but as soon as someone
package curl / any client with some pre-defined root CAs, "any" server
can take over the request.


> p.s. It is a pitty that the keyserver-folks list is dead or that
> the SKS(?) operators don't discuss infrastructure topics on a
> list.

This is mostly discussed at the sks-devel list[1]

- -- 
- ----------------------------
Kristian Fiskerstrand
Twitter: @krifisk
- ----------------------------
"The power of accurate observation is commonly called cynicism by
those who have not got it."
George Bernard Shaw
- ----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An
introduction to OpenPGP security is
available in both Amazon Kindle and Paperback
format at
- ----------------------------
Public PGP key 0xE3EDFAE3 at
Version: GnuPG v2.1.0-beta100 (GNU/Linux)


More information about the Gnupg-devel mailing list