Can't propagate key through public keyservers
John Clizbe
JPClizbe at comcast.net
Sat Oct 28 08:33:34 CEST 2006
John W. Moore III wrote:
> Bjoern Buerger wrote:
>> Michael Kallas wrote:
>>> hkp://subkeys.pgp.net or hkp://sks.keyserver.penguin.de ?
>
>> Sorry, the latter is down at the moment. But you can
>> try hkp://random.sks.keyserver.penguin.de instead,
>> which is a collection of public sks keyservers. All
>> of them treat subkeys in a safe way.
>
> I'd recommend hkp://blackhole.pca.dfn.de
John W. Moore III wrote:
> Bjoern Buerger wrote:
>> Michael Kallas wrote:
>>> hkp://subkeys.pgp.net or hkp://sks.keyserver.penguin.de ?
>
>> Sorry, the latter is down at the moment. But you can
>> try hkp://random.sks.keyserver.penguin.de instead,
>> which is a collection of public sks keyservers. All
>> of them treat subkeys in a safe way.
>
> I'd recommend hkp://blackhole.pca.dfn.de
I wouldn't, and it has nothing to do with the server choice.
Remember, we're discussing automatic key retrieval specified in gpg.conf. One
doesn't have a forty server drop-down list to cycle through, so it needs to be a
best guess.
What if blackhole.pca.dfn.de is down or otherwise unreachable? Or foo.baz.net?
Or ...? As Bjoern indicated, sks.keyserver.penguin.de is down at the moment even
though it may be the perfect choice otherwise.
Recommending a single server also is *not* good net citizenship in a case such
as this. It is the type of advice that causes servers to be overloaded with an
undue amount of traffic as users take such recommendations as 'Gospel'.
Ultimately it's the users that suffer the bottleneck. In the worst case, the
administrator takes the machine offline; bandwidth costs money - directing all
inquiries to a single server is irresponsible. For a comparison, I'll direct you
to the recent case of D-Link, which had all of their routers throughout the
world hammering a single NTP server in Denmark for time updates. See
http://en.wikipedia.org/wiki/NTP_vandalism#D-Link_and_Poul-Henning_Kamp
random.sks.keyserver.penguin.de is a DNS round-robin updated nightly with the
currently reachable SKS servers. This removes servers that have been down from
consideration. Only if there is trouble that day or at the same time as the
query could one worry about the server being unreachable. A round-robin also
spreads the load among all servers, and since this is SKS, it really is
unimportant which server you use to update or query.
random.sks.keyserver.penguin.de provides the best solution of the perennial
"which server should I use" question. With keyservers just as with keys, it is
best to stick with a default behavior unless you have a clear and sensible
reason not to do so.
--
John P. Clizbe Inet: John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A
"what's the key to success?" / "two words: good decisions."
"what's the key to good decisions?" / "one word: experience."
"how do i get experience?" / "two words: bad decisions."
"Success is the ability to go from failure to failure without losing your
enthusiasm." - Mrs. Patrick Campbell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 663 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20061028/9528508b/signature.pgp
More information about the Gnupg-users
mailing list