Design of a Modern Keyserver Network

Andrew Gallagher andrewg at andrewg.com
Sat Jan 18 15:11:29 CET 2025 

Hi, Seth.

On 17 Jan 2025, at 22:59, Seth McDonald via Gnupg-users <gnupg-users at gnupg.org> wrote:
> 
> To my understanding, it seems the vast
> majority of keyservers (connected via the 'SKS network') were functionally
> damaged due to a 2019 'certificate poisoning' attack, and were subsequently
> shut down in 2021 due to being unable to comply with the GDPR.

This is not strictly accurate. The sks-keyservers.net <http://sks-keyservers.net/> domain shut down due to the legal ambiguity of running (effectively) a proxy service for random other operators. And the SKS network transitioned away from the sks-keyserver software (which was unable to handle deletion requests or poisoned keys) to the more modern hockeypuck software (see https://hockeypuck.io <https://hockeypuck.io/>). In the meantime, keys.openpgp.org <http://keys.openpgp.org/> was set up as a less-functional (but more reliable) service that was suitable as a safe default for existing clients.

The SKS network is therefore alive and well, it just doesn’t run on sks-keyserver any more. It also has fewer nodes (currently 21 exposed publicly) than it did at its peak (over 100) -- but due to the more modern codebase it is much more performant (and reliable). You can see the current state of the network at https://spider.pgpkeys.eu <https://spider.pgpkeys.eu/>

It is a long-term goal of most operators to realign the various keyservers around a more sustainable model. Suggestions are always appreciated, and anyone interested in working on keyserver improvements is most welcome. :-)

> https://gist.github.com/McDaMastR/d4781ce0fd0e4a0ad60fd85201031f5d
> 
> I would be beyond grateful if you could provide some constructive feedback!

Thanks for this; I’ll read through it in more detail later. You may also be interested in the various existing proposals for fixing keyservers, some of which are already in the process of being implemented:

* https://datatracker.ietf.org/doc/html/draft-dkg-openpgp-1pa3pc
* https://gitlab.com/dkg/draft-openpgp-abuse-resistant-keystore/ <https://gitlab.com/dkg/draft-openpgp-abuse-resistant-keystore/-/issues/2>
* https://github.com/hockeypuck/hockeypuck/wiki/HIP-3:-Timestamp-aware-merge-strategy
* https://github.com/hockeypuck/hockeypuck/wiki/HIP-5:-Reliable-personal-data-deletion-using-self-signatures

Thanks again for your interest in the keyservers!

A

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250118/bdd1f566/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250118/bdd1f566/attachment.sig>

More information about the Gnupg-users mailing list