Keyserver/security bug 1447 (and 1446 too)
jbar
jeanjacquesbrucker at gmail.com
Mon Dec 3 13:01:50 CET 2012
What I didn't understand, is that some are still trying to rely security with DNS (or DNSSEC sometime) and X509 certificates, when we have all the required stuff with OpenPGP without taking care of the 2 other technologies (which sucks on many points AMHA... :-]).
I means we could use OpenPGP certificate and Web of Trust to authenticate hkp key servers, either by linking GnuPG and sks with GnuTLS to use the RFC6091 about TLS+OpenPGP [0], or by using the protocol I have quickly draft [1] and began to implement on my own key server thttpgpd/ludd [2].
My (very) drafted protocol is an "over-HTTP" solution to make authentication upon some datas instead of the channel. Using it will may be not being as performant or secure as managing a SessionID after a succesfull RFC6091 mutual authentication and using encrypted session, but it simpler to use and may be usefull in some case (e.g. when not managing a SessionId or cookies).
Note: the man page of thttpgpd, my HTTP/HKP server is always updated and may be usefull [3]. And you may test the PGP signing of data by my keyserver using curl like this :
$ curl -v -H "Accept: multipart/msigned" "http://domesticserver.org:11371/pks/lookup?search=jbar&search=loubov"
[0]: http://www.gnu.org/software/gnutls/openpgp.html
[1]: https://github.com/Open-UDC/open-udc/blob/master/docs/HTTP_OpenPGP_Authentication.draft.txt
[2]: http://domesticserver.org:11371/pks/
[3]: https://github.com/Open-UDC/open-udc/blob/master/ludd/src/ludd.8.in
--
jbar <jeanjacquesbrucker at gmail.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: </pipermail/attachments/20121203/f217b212/attachment-0001.pgp>
More information about the Gnupg-devel
mailing list