Keyserver/security bug 1447 (and 1446 too)

Kristian Fiskerstrand kristian.fiskerstrand at sumptuouscapital.com
Tue Dec 4 13:45:23 CET 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 12/04/2012 01:21 PM, Phil Pennock wrote:
> On 2012-12-04 at 07:43 +0100, Werner Koch wrote:
>> If you want me to delegate keys.gnupg.net to another pool
>> operator group, please let me know.
> 
> If you want to get out of the issue entirely, I recommend taking a
> look at <http://www.sks-keyservers.net/overview-of-pools.php> and
> pick one to CNAME to.  I suggest "ha.pool.sks-keyservers.net".

iirc this is the case already[0].

The only issue with (in particular the HA pool) is that not all of the
servers behind reverse proxies are configured for this vhost. Maybe it
would make sense to put up a pool for servers specificially not behind
a reverse proxy, but that'd be another can of worm. So I'll see if I
can get around to adding some additional vhost (HTTP Host Header)
checks somewhere.


[0] http://lists.gnupg.org/pipermail/gnupg-users/2012-May/044504.html


- -- 
- ----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Ne nuntium necare
Don't kill the messenger
- ----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An
introduction to OpenPGP security is
available in both Amazon Kindle and Paperback
format at
http://www.amazon.com/dp/B006RSG1S4/
- ----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.0-beta100 (GNU/Linux)

iQIcBAEBCAAGBQJQvfBfAAoJEAt/i2Dj7frjTQQP/10A6T2T+cDIJUMJGTMurxGn
Sh7zP3g2si8mJp0/1M+Bvvn85sAmXIXd1FoPbwSC6GZgjLIyHBO73awaxzVniGpj
/bofFNIWxSVtvA784TBqBXqyWTyM0krstYT4VCP3w+2A8Nn36jF8+l4EnqAgnuOW
vOG2XuwtbRkS8GJ26OB32lTCvtN2xnoA8JimGdkYckNlbAW+UyAWHY9bSTGym/rc
bd36Psz3+zGfB3ay9noCajp8zLJDxj6N47ft5gYWhaVh+dR2klzXcAtI/V3Dm5Bt
fLegZXGJcZDGr63SakdTbzssfr2u46uveNUVpMMeXmuC/bC63MFc6+emg283M4PL
1NhLFrwMEwmTH6eFejpUBmhnPhcVprgwQ2tKhtXSW2dOs9imn6GaY/DejXIjTxu/
Pq4r4cNLTHs1JBcOoReHh5Nnw1cn1IjD02dLb39nHaGfnWGI+gu3TXoWXJf3wLYp
MgOIn9zFyfBV36vEvI8YALMwfkykrypAt+n4jkVhw5QzX7lpKjwNCWr0gAe06xc1
RhK3CfIF9GQeved/jYZILrhlJaq0yY5GgRPeJ4e82FuFr5LSHpQRfwyQ7DHQ79EA
wzkoDNxsgW8GrJF+MzHMCM4gb5Y+OHWWe7bDQUUmVXFDdH9ZAkrhYOY8l0/GJBP6
9ZJEZrX+HpPrIMuUJ1kV
=hASg
-----END PGP SIGNATURE-----

More information about the Gnupg-devel mailing list