Questions about OpenPGP best practices

Mark H. Wood mwood at IUPUI.Edu
Tue Feb 26 15:43:26 CET 2013 

On Mon, Feb 25, 2013 at 05:54:34PM -0500, Peter Loshin wrote:
> 3. On using a keyserver with HKPS support: when I attempt to connect
> (via Chrome) to https://sks-keyservers.net/, I get an error headlined
> "The site's security certificate is not trusted!", stating " the
> server presented a certificate issued by an entity that is not trusted
> by your computer's operating system."

That service presents a self-signed certificate (I checked), which
means that if you do not already have a copy of that cert. installed in
your browser and marked trusted, then it cannot be verified.  You would
need to satisfy yourself that the certificate is genuine and the
service trustworthy, and then install the certificate in your browser,
in order to make the message go away.  (Well, at least one would have
to install the cert., whether one does any investigation or not. :-/ )

> 4. When I try to use hkps://sks-keyservers.net with GnuPG at the
> command line, I get these messages:
> 
> gpgkeys: HTTP post error 1: unsupported protocol
> gpg: keyserver internal error
> gpg: keyserver send failed: Keyserver error

I have no idea about this one and I'm too lazy to go read the protocol
documents.

> And when I try the same with the domain name only (sks-keyservers.net)
> I get these messages:
> 
> : can't connect to `sks-keyservers.net': No route to host
> gpgkeys: HTTP post error 7: couldn't connect: No route to host
> gpg: keyserver internal error
> gpg: keyserver send failed: Keyserver error

The site doesn't want unencrypted connections, and they way they
enforce this is by returning "no route" to requests for connection to
port 80.  I would have used "administratively prohibited", to give
real users a clue, but they may be trying to be less visible to 'bots.

-- 
Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
There's an app for that:  your browser
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: </pipermail/attachments/20130226/5aa951f1/attachment.pgp>

More information about the Gnupg-users mailing list