SKS Keyserver Network Under Attack

Andrew Gallagher andrewg at andrewg.com
Sun Jun 30 10:50:18 CEST 2019


>> Thankfully there is a practical - if drastic - solution for all
>> OpenPGP users everywhere. Point pool.sks-keyservers.net (and its
>> various aliases) somewhere else. The question is where to and how
>> soon.
> 
> (I am certain Andrew has already considered this: I am making explicit
> what I think Andrew considered to be implicit.)
> 
> The obvious choice there is hkps://keys.openpgp.org.  The problem there
> is keys.openpgp.org is not a drop-in replacement for SKS, and there's a
> tremendous chance of breaking workflows in unpredictable places.
> 

Yes, this is the “how soon”. We are *nowhere near* prepared enough to take that step now. But a solution exists (at least in principle) that does not require end users to take any action. The big obstacles are:

1. scalability. A non-distributed key service could potentially collapse if global hkp(s) traffic was redirected to it. 
2. reliability. There would need to be enough failover capacity in the new system to withstand individual server failure. 
3. interoperability. The replacement service would need to be fully compatible with all existing clients. DKG’s internet draft shows how hard this will be to ensure in practice without simply replicating the problems of the existing network. 

We’ve known this day was coming for some time. We’ve just got a fire lit under our collective backsides. 

A



More information about the Gnupg-users mailing list