Design of a Modern Keyserver Network
Seth McDonald
mcdonald_seth at pm.me
Fri Jan 17 23:59:51 CET 2025
Hello all,
For about the past month or two, I've been researching and teaching myself
OpenPGP and GnuPG, which led to me attempting to find out what happened to all
the keyservers over the past few years, since many resources on GnuPG reference
keyservers which no longer function. To my understanding, it seems the vast
majority of keyservers (connected via the 'SKS network') were functionally
damaged due to a 2019 'certificate poisoning' attack, and were subsequently
shut down in 2021 due to being unable to comply with the GDPR.
As such, I decided to take a crack at rectifying the design of the keyserver
network. I've written a detailed outline in a GitHub Gist, which I'll link
below. But to give a brief summary, I break down the requirements of a modern
keyserver network into six main criteria, including the storage and
distribution of public keys, the ability to defend against state force, the
ability to withstand the previously inflicted attacks, etc. And to meet these
criteria, I propose the use of metadata in the storage and distribution of
public keys.
In particular, every public key can carry with it three pieces of metadata: a
hash, a detached signature, and a revocation certificate. The hash is unique to
a key upload attempt and the signature is of the hash, generated in the
process of uploading the public key to confirm the client has access to the
private key. The signature is checked to be valid both when uploading and
synchronising the public key. The revocation certificate is given when first
uploading the public key, and if added to the public key itself, will tell the
keyserver to remove most data pertaining to that key.
https://gist.github.com/McDaMastR/d4781ce0fd0e4a0ad60fd85201031f5d
I would be beyond grateful if you could provide some constructive feedback!
Sincerely, Seth.
PGP Fingerprint
82B9 620E 53D0 A1AE 2D69 6111 C267 B002 0A90 0289
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 343 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250117/5701010d/attachment.sig>
More information about the Gnupg-users
mailing list