keyserver queries over TLS [was: Re: auto refresh-keys]
Jameson Rollins
jrollins at finestructure.net
Sun Jun 20 20:32:48 CEST 2010
On Sun, 20 Jun 2010 02:50:41 +0100, MFPA <expires2010 at ymail.com> wrote:
> > So in order to be safe you need additional CPU load
> > either for TLS or for signing. Signing is superior IMHO
> > because it allows reuse of the data (one crypto action
> > (covering less data) for several users vs. one for each
> > user with TLS) and makes more sense because you don't
> > need a second crypto system (X.509) to protect the
> > first (OpenPGP).
>
> Starting from where we are now, as far as I know there are no
> keyservers that sign their output, but there are keyservers that use
> TLS.
>
> And TLS does not have to be x.590. There is a draft spec for using
> openpgp keys with TLS http://tools.ietf.org/search/rfc5081 which is
> implemented in the GnuTLS library
> http://www.gnu.org/software/gnutls/gnutls.html
This is turning into a separate thread, but while we're on it, I just
wanted to point out that the Monkeysphere Project [0] currently provides
a means for doing OpenPGP-based site authentication/encryption over TLS,
and has discussed building a gpg plugin that can do OpenPGP validation
of hkps keyserver queries:
https://labs.riseup.net/code/issues/2016
jamie.
[0] http://web.monkeysphere.info/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: </pipermail/attachments/20100620/c0af85d2/attachment.pgp>
More information about the Gnupg-users
mailing list