Raising the floor for the pool to SKS version 1.1.6 [was: Re: Importing ed25519 subkeys from SKS < 1.1.6]

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Sep 7 00:16:38 CEST 2017

(adding sks-devel to this thread since it discussies changing the
minimum bar for the pool)

On Wed 2017-09-06 23:46:59 +0200, Kristian Fiskerstrand wrote:
> On 09/06/2017 11:33 PM, Werner Koch wrote:
>> including all of the RSA and DSA subkeys.  But not the original
>> requested ed25519 key.  It seems SKS 1.1.5 partly supports ed25519 keys
>> but for example does not return them.
> No, 1.1.5 supports RFC6637 but not the ed25519/curve25519 variants
>> Hopefully the remaining SKS 1.1.5 installations will soon update to
>> 1.1.6 which does not have this problem.
> hkp://subset.pool.sks-keyservers.net requires SKS 1.1.6, I've been
> pondering requiring the main pool to use this , which can be discussed
> if we want to push ed25510/curve25519

SKS 1.1.6 was released over 1 year ago (on 2016-08-07).  It is well
tested and widely deployed.

looking at https://sks-keyservers.net/status/ -- i'd say we can afford
to move to SKS 1.1.6 for the main pool.

We will (temporarily) go from 116 members of the main pool to 85 -- a
loss of about 25%.  But we also provide an incentive for those members
to upgrade to 1.1.6, so i expect we'll make some of that back.

We only lose 3 members from the hkps pool, and 2 members from the
onionbalance, so i'd recommend making it a minimum there too.

About feasibility of upgrades: version-wise, people tend to treat debian
as the "old, out of date distro", and for debian:

 * Debian stable (stretch) has SKS 1.1.6.

 * people running debian oldstable (jessie) can install 1.1.6 from

People running keyservers on ubuntu LTS will need to find a PPA or some
other alternative (xenial offers only 1.1.5 in universe), but so it goes
:/ (I note that a previous attempt to get a backport into an ubuntu LTS
appears to have gone unresolved:
https://bugs.launchpad.net/trusty-backports/+bug/1435397 -- but perhaps
micahg can be convinced to update his ppa in a similar way at least)

I recommend requiring at least SKS 1.1.6 for membership in all the

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170906/643b34c4/attachment.sig>

More information about the Gnupg-devel mailing list