Keyserver/security bug 1447 (and 1446 too)

jbar jeanjacquesbrucker at
Mon Dec 3 13:01:50 CET 2012

 What I didn't understand, is that some are still trying to rely security with DNS (or DNSSEC sometime) and X509 certificates, when we have all the required stuff with OpenPGP without taking care of the 2 other technologies (which sucks on many points AMHA... :-]).

 I means we could use OpenPGP certificate and Web of Trust to authenticate hkp key servers, either by linking GnuPG and sks with GnuTLS to use the RFC6091 about TLS+OpenPGP [0], or by using the protocol I have quickly draft [1] and began to implement on my own key server thttpgpd/ludd [2].

My (very) drafted protocol is an "over-HTTP" solution to  make authentication upon some datas instead of the channel. Using it will may be not being as performant or secure as managing a SessionID after a succesfull RFC6091 mutual authentication and using encrypted session, but it simpler to use and may be usefull in some case (e.g. when not managing a SessionId or cookies).

 Note: the man page of thttpgpd, my HTTP/HKP server is always updated and may be usefull [3]. And you may test the PGP signing of data by my keyserver using curl like this :
 $ curl -v -H "Accept: multipart/msigned" ""


jbar <jeanjacquesbrucker at>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: </pipermail/attachments/20121203/f217b212/attachment-0001.pgp>

More information about the Gnupg-devel mailing list