Raising the floor for the pool to SKS version 1.1.6 [was: Re: Importing ed25519 subkeys from SKS < 1.1.6]
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Sep 7 00:16:38 CEST 2017
(adding sks-devel to this thread since it discussies changing the
minimum bar for the pool)
On Wed 2017-09-06 23:46:59 +0200, Kristian Fiskerstrand wrote:
> On 09/06/2017 11:33 PM, Werner Koch wrote:
>
>> including all of the RSA and DSA subkeys. But not the original
>> requested ed25519 key. It seems SKS 1.1.5 partly supports ed25519 keys
>> but for example does not return them.
>
> No, 1.1.5 supports RFC6637 but not the ed25519/curve25519 variants
>
>> Hopefully the remaining SKS 1.1.5 installations will soon update to
>> 1.1.6 which does not have this problem.
>
> hkp://subset.pool.sks-keyservers.net requires SKS 1.1.6, I've been
> pondering requiring the main pool to use this , which can be discussed
> if we want to push ed25510/curve25519
SKS 1.1.6 was released over 1 year ago (on 2016-08-07). It is well
tested and widely deployed.
looking at https://sks-keyservers.net/status/ -- i'd say we can afford
to move to SKS 1.1.6 for the main pool.
We will (temporarily) go from 116 members of the main pool to 85 -- a
loss of about 25%. But we also provide an incentive for those members
to upgrade to 1.1.6, so i expect we'll make some of that back.
We only lose 3 members from the hkps pool, and 2 members from the
onionbalance, so i'd recommend making it a minimum there too.
About feasibility of upgrades: version-wise, people tend to treat debian
as the "old, out of date distro", and for debian:
* Debian stable (stretch) has SKS 1.1.6.
* people running debian oldstable (jessie) can install 1.1.6 from
jessie-backports.
People running keyservers on ubuntu LTS will need to find a PPA or some
other alternative (xenial offers only 1.1.5 in universe), but so it goes
:/ (I note that a previous attempt to get a backport into an ubuntu LTS
appears to have gone unresolved:
https://bugs.launchpad.net/trusty-backports/+bug/1435397 -- but perhaps
micahg can be convinced to update his ppa in a similar way at least)
I recommend requiring at least SKS 1.1.6 for membership in all the
pools.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170906/643b34c4/attachment.sig>
More information about the Gnupg-devel
mailing list