Launching a new keyserver on keys.openpgp.org!

Bernhard Reiter bernhard at intevation.de
Tue Jul 9 13:59:09 CEST 2019 

Dear Hagrid Team,

Am Mittwoch 12 Juni 2019 18:53:50 schrieb Vincent Breitmoser:
> the Hagrid team is pleased to announce the launch of our new keyserver,
> running at keys.openpgp.org!

[..] 
> https://keys.openpgp.org/about/news#2019-06-12-launch
[..] 

> Some of the things we do are a bit experimental. For some things we found
> that there is no good mechanism at this point, so we decided to drop them
> for now.  

it is good to see more code around OpenPGP.
Maybe hagrid can be useful to improve the common infrastructure to 
distribute public keys in the future.

From my point of view the service announcement and its description
is a bit problematic, though:

The choice of keys.openpgp.org let people assume that there is a larger 
consensus in the OpenPGP world about hagrid. While from my point of view
some approaches are still controversial.

The announcement and domain name portraits the service as an "OpenPGP 
keyserver" while at least with the distribution of pubkeys without user id it 
is not in compliance with RFC4880. But he annoumcement makes it sound like 
this is a defect with GnuPG. A clearer phrasing would have pointed this out: 
GnuPG behaves according to the current standard from which we deviate (for a 
reason.)

Hagrid uses an OpenPGP implementation which describes itself as "few to no"
products using it "not a lot of experience with it in the wild". So it is 
experimental, just like you write here, but not in the official announcement.

People even further aways may have assumed that hagrid is an offering like the 
old keyservers which means carrying third party signatures. The timing of the 
announcement here works against hagrid as the attacks of the SKS keyserver 
network have recently become public close to the time of the hagrid 
announcement. Because being close in timing, people may assume some 
correlation. Are you aware of any correlation? (Like you have accellerated 
the announcement after you have learned about the attacks.)

Hopefully some of the descriptions can be improved. Though the press has 
already picked up on some of the points.

Technically I believe that it is possible to preserve the current idea
of a keyserver to make it privacy aware, but still decentral and 
non-validating while still transporting third party signatures and several 
keys for an email address. I'll outline this in other emails to gnupg-devel at .

If hagrid could be turned into a more robust replacement for the current 
keyserver software, to me it would be a useful addition.

Sincerely,
Bernhard

-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20190709/6f37c6db/attachment.sig>

More information about the Gnupg-devel mailing list