Keyserver/security bug 1447 (and 1446 too)
Kristian Fiskerstrand
kristian.fiskerstrand at sumptuouscapital.com
Mon Dec 3 12:16:45 CET 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 12/03/2012 02:04 PM, Werner Koch wrote:
> On Mon, 3 Dec 2012 04:55, gnupg-devel at spodhuis.org said:
>
...
Greetings, just dropping in quickly and saying hi from my vacation in
Russia here.
>
> What root CA is to be used? One of the usual PKIX ones or a
> dedicated for the pool or all keyservers? If the latter, who is in
> charge of creating the certificates?
>
> Do you demand the servers should use a certificate issued by the
> pool operators (e.g. as Sub CA)? Or shall they merely use the pool
> name as an alternative server name?
>
Currently we're testing with a Root CA that can be downloaded from
https://sks-keyservers.net/sks-keyservers.netCA.pem , that is issuing
a cert for the individual server and adding a subjectAltName
corresponding to the hkps pool. [0]
> Why do do you think the pool's name is more trustworthy than the
> individual server name? We are still talking about round-robin
> DNS, right?
>
The way I understand it - whether the specified name is a pool or an
individual server isn't the issue - but rather that further from this
it can be modified in the SRV record which can potentially be
poisoned. As long as no CAs are activated by default this will be less
of an issue (as the cert check should fail), but as soon as someone
package curl / any client with some pre-defined root CAs, "any" server
can take over the request.
...
> p.s. It is a pitty that the keyserver-folks list is dead or that
> the SKS(?) operators don't discuss infrastructure topics on a
> gnupg.org list.
This is mostly discussed at the sks-devel list[1]
[0] https://sks-keyservers.net/overview-of-pools.php
[1] https://lists.nongnu.org/mailman/listinfo/sks-devel
- --
- ----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
"The power of accurate observation is commonly called cynicism by
those who have not got it."
George Bernard Shaw
- ----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An
introduction to OpenPGP security is
available in both Amazon Kindle and Paperback
format at
http://www.amazon.com/dp/B006RSG1S4/
- ----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.0-beta100 (GNU/Linux)
iQIcBAEBCAAGBQJQvIoZAAoJEAt/i2Dj7frjeA4P/0mTDOG2XZ6cDzmQMP5jPs53
DJJw+fpdTv458wZvMSS80DIyAFIkYnxlM7hX5J2v16v5fmyb/7CsiI+6JorasgGO
imTgh8s55kKnp/csDFsqHpMT3Nw0h68FI3pRy+vpDGan3ALtF+BeRcxmEpld1GMc
OIMomLNB5+W9iW5VcK4zbP4H4P2o8cfcPm3HuIekAjR7+oF3YyiHAZPubNJc4Ipr
X3KYmlpYgHLH8RQx6J2fCnvM0HUtS4117HFRMi4CoaeJE6Ny3AOkd09Mq6PuWI0+
7ZqZ4L6ZIeKAs0lnS6oosRp5ktomNa8jgzWs5mqEXRFXYZTAw4e43LdtQB6sam1Z
AlwdkCH1np7rCqPeJaQsgCjhHLt5E5IrmQbRDrfqNam8troUaUOoRz/yTKSXbgZP
sTCsIGh3svNPicxggycsDf7HUwExF2NEapZfhft5AyLcAcZPLcnKaxKwg+McQw73
BcMnc8kBS3rK5FZzM9t2vVRPksKi7ezZxHdgMroTRfBgIdAxmcuLEY8PKc5L3UEc
+fdqYiYseDBsLDhnjNcx2YYprC7XHUp5PWkMLryzpnkJ1arAZFL+FgM14zcFRanV
Vr+mPkP4YbeF5rCAXSyuYM9p5IKSg6xYEV1mnWvzj9ZIQrmH1K//wEovhHAIK4Vd
mAHnd245VvTJEdR3xf6Z
=3gtU
-----END PGP SIGNATURE-----
More information about the Gnupg-devel
mailing list