Keyserver/security bug 1447 (and 1446 too)
jeanjacquesbrucker at gmail.com
Mon Dec 3 13:01:50 CET 2012
What I didn't understand, is that some are still trying to rely security with DNS (or DNSSEC sometime) and X509 certificates, when we have all the required stuff with OpenPGP without taking care of the 2 other technologies (which sucks on many points AMHA... :-]).
I means we could use OpenPGP certificate and Web of Trust to authenticate hkp key servers, either by linking GnuPG and sks with GnuTLS to use the RFC6091 about TLS+OpenPGP , or by using the protocol I have quickly draft  and began to implement on my own key server thttpgpd/ludd .
My (very) drafted protocol is an "over-HTTP" solution to make authentication upon some datas instead of the channel. Using it will may be not being as performant or secure as managing a SessionID after a succesfull RFC6091 mutual authentication and using encrypted session, but it simpler to use and may be usefull in some case (e.g. when not managing a SessionId or cookies).
Note: the man page of thttpgpd, my HTTP/HKP server is always updated and may be usefull . And you may test the PGP signing of data by my keyserver using curl like this :
$ curl -v -H "Accept: multipart/msigned" "http://domesticserver.org:11371/pks/lookup?search=jbar&search=loubov"
jbar <jeanjacquesbrucker at gmail.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 490 bytes
Desc: not available
More information about the Gnupg-devel