Local solutions: SKS Keyserver Network Under Attack

Roland siemons at cleanfuels.nl
Wed Jul 3 15:00:16 CEST 2019


Thanks, Peter, for this confirmation.

You give further detail to what I had guessed in the course of playing 
with the settings of GPA and Kleopatra.

I conclude that there are at least two possible actions for those who 
want to protect there systems:
In the GUIs of GPA or Kleopatra to fiddle the settings as I suggested 
earlier in this thread. And for Enigmail: your suggestion
or
In the terminal, to edit ~/.gnupg/dirmngr.conf so as to say "keyserver 
hkps://keys.openpgp.org/" or, if that file does not exist to create it 
as per your suggestion.

This could be useful for some mere common GnuPG users, like me.

Greetz

Roland

Some side thoughts:
1/ Perhaps the fear of compromised communication (including distributed 
software, private messages) can be mitigated by practicing short feed 
back lines: confirmations. Like "did you get my communication, what did 
it say?"
2/ Perhaps one should not give too much trust to a WoT at all. After 
all, a crook can pretend to be a friend, and thus yield the entire WoT 
untrustworthy. Sometimes a friend becomes an enemy at a later stage. As 
a very ordinary mere user, I do not really understand the trust levels 
that GnuPG asks me to consider. How can a WoT that is not 100% 
understood by absolutely all users be reliable?
3/ With these thoughts, I hope NOT to embarrass the developers. Forget 
it, if you consider it useless for your troubles. (Thanks for GnuPG!)


On 03/07/2019 12:58, Peter Lebbing wrote:
> Hello Roland,
>
>> Hansen's and DKG's blog are only partly helpful. For example my Linux
>> system seems to *not* have a  ~/.gnupg/dirmngr.conf file at all (one
>> of those files recommended for editing). I.e. Nautilus cannot find it.
> The usual case on Linux systems is that if a configuration file would
> otherwise be empty or equal to the default (the two can be entirely
> different things in general!), the configuration file simply does not
> exist.
>
> So instead of modifying ~/.gnupg/dirmngr.conf, *create* one and put a
> single line in it saying
>
> keyserver hkps://keys.openpgp.org/
>
> I encountered some strange behaviour here: I invoked
>
> $ gpgconf --reload dirmngr
>
> afterwards (otherwise dirmngr will not reconsider its now changed
> configuration), and it *did not work*. It was still using the default.
> It did work after I rebooted (I was not in the mood to fiddle more with
> it and did the most heavy-handed thing that would work).
>
> Also, Enigmail doesn't seem to use this configuration at all and instead
> it is configured at
>
> Enigmail -> Preferences -> Keyserver
>
> I did verify using systemd's journal that the gpgconf --reload command
> reached its intended goal: dirmngr said "re-reading config". It just
> didn't have an effect for some odd reason. For people thinking about
> this: no, I don't use Tor for keyservers, it's not related to dirmngr
> refusing to change keyservers when on Tor.
>
> HTH,
>
> Peter.
>




More information about the Gnupg-users mailing list