6 million

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

6 million

Skip Carter
Today we crossed the 6 million keys mark with 6000194 keys.

This group's name "sks-devel" is historical no one appears to want to
admit actually developer; we are actually sks-admins that spend a lot
of time keeping the plates spinning.  In the time I have been active I
have solicited help from many of you (and I hope that I in turn
contributed).


I have decided to collect pointers and suggestions on how to keep sks
running in the absence of any development support.  The idea is to
periodically publish it here so it can be used, updated, refined by
everyone. I expect to have version 0 here in the next couple of days.


--
Dr Everett (Skip) Carter  0xF29BF36844FB7922
[hidden email]

Taygeta Scientific Inc
607 Charles Ave
Seaside CA 93955
831-641-0645 x103


signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 6 million

Stefan Claas
Skip Carter wrote:

> Today we crossed the 6 million keys mark with 6000194 keys.
>
> This group's name "sks-devel" is historical no one appears to want to
> admit actually developer; we are actually sks-admins that spend a lot
> of time keeping the plates spinning.  In the time I have been active I
> have solicited help from many of you (and I hope that I in turn
> contributed).
>
>
> I have decided to collect pointers and suggestions on how to keep sks
> running in the absence of any development support.  The idea is to
> periodically publish it here so it can be used, updated, refined by
> everyone. I expect to have version 0 here in the next couple of days.

Why still focusing on a dead project like SKS and not convining the other
guys from Mailvelope or Hagrid to add peering capabilities?

What benefits do you have as an SKS operator, to still support such
old and dangerous GnuPG/SKS client-server model, in 2020?

Regards
Stefan

--
Signal (Desktop) +4915172173279
https://keybase.io/stefan_claas
           

Reply | Threaded
Open this post in threaded view
|

Re: 6 million

Skip Carter
Stefan,

This has been such a frustrating experience, I am eager to jump ship.
I looked at Hagrid some time ago, I rejected it -- I no longer remember
why.  I will take another look.  I never investigated Mailvelope.

On Tue, 2020-04-14 at 17:00 +0200, Stefan Claas wrote:
>
> Why still focusing on a dead project like SKS and not convining the
> other
> guys from Mailvelope or Hagrid to add peering capabilities?
>
> What benefits do you have as an SKS operator, to still support such
> old and dangerous GnuPG/SKS client-server model, in 2020?
>
>

--
Dr Everett (Skip) Carter  0xF29BF36844FB7922
[hidden email]

Taygeta Scientific Inc
607 Charles Ave
Seaside CA 93955
831-641-0645 x103



signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 6 million

brent s.
In reply to this post by Stefan Claas
On 4/14/20 11:00, Stefan Claas wrote:
>
> Why still focusing on a dead project like SKS and not convining the other
> guys from Mailvelope or Hagrid to add peering capabilities?
>

You do realize one can do both, right?

> What benefits do you have as an SKS operator, to still support such
> old and dangerous GnuPG/SKS client-server model, in 2020?

Are you on this list just to troll or do you have anything useful to say?


--
brent saner
https://square-r00t.net/
GPG info: https://square-r00t.net/gpg-info


signature.asc (916 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 6 million

Todd Fleisher
On Apr 14, 2020, at 10:29, brent s. <[hidden email]> wrote:

What benefits do you have as an SKS operator, to still support such
old and dangerous GnuPG/SKS client-server model, in 2020?

Are you on this list just to troll or do you have anything useful to say?

So much this. Some of us have a legitimate need for what SKS provides that can’t be accommodated by the new kids on the block like Hagrid & Mailvelope. Neither supports third party signatures and the web of trust. I’ve reached out to the Hagrid team about that & peering but  People also seem to still be actively using SKS for new & updated keys as well, based on the stats page.

On Apr 7, 2020, at 09:10, Skip Carter <[hidden email]> wrote:

This group's name "sks-devel" is historical no one appears to want to
admit actually developer; we are actually sks-admins that spend a lot
of time keeping the plates spinning. 

I have spent hardly any time keeping my SKS VMs operational for some time now (knock on wood). The last 2 issues I had were some VMs dropping out due to an underlying hardware problem unrelated to SKS even. I’ve posted about my configuration before on the list back on February 17, 2019 if you or anyone else is interested in improving your setup and possibly freeing up your time for other things.

-T


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 6 million

Stefan Claas
In reply to this post by brent s.
brent s. wrote:

> On 4/14/20 11:00, Stefan Claas wrote:
> >
> > Why still focusing on a dead project like SKS and not convining the other
> > guys from Mailvelope or Hagrid to add peering capabilities?
> >
>
> You do realize one can do both, right?

Yes, and I have not seen here from the majority in the past, saying hey lets
try out (and switch) or asked the devs.

Regarding SKS, for example, I have not even seen from it's operators to
support modern hockeypuck[1] (development) and giving up old SKS code.
 
> > What benefits do you have as an SKS operator, to still support such
> > old and dangerous GnuPG/SKS client-server model, in 2020?
>
> Are you on this list just to troll or do you have anything useful to say?

Excuse me if I sound like a troll. It is a valid question, because as you
may know public keys on SKS keyservers can be knocked out or not so nice
data can be added to them, thus not protecting users key.

In 2020 I would assume If I would be interested to run a community service
I would try to give my best for its users, i.e. trying to protect their
data (publick key blocks) as best as possible.

[1] Written in modern Golang!!! :-)

https://github.com/hockeypuck/hockeypuck

Regards
Stefan

--
Signal (Desktop) +4915172173279
https://keybase.io/stefan_claas
           

Reply | Threaded
Open this post in threaded view
|

Re: 6 million

brent s.
On 4/14/20 15:17, Stefan Claas wrote:

> brent s. wrote:
>
>> On 4/14/20 11:00, Stefan Claas wrote:
>>>
>>> Why still focusing on a dead project like SKS and not convining the other
>>> guys from Mailvelope or Hagrid to add peering capabilities?
>>>
>>
>> You do realize one can do both, right?
>
> Yes, and I have not seen here from the majority in the past, saying hey lets
> try out (and switch) or asked the devs.
We can't switch because the "replacements" lack functionality SKS has.
Until there is a complete replacement for SKS, SKS will continue to be
operated.

I can't speak for the other operators, but I've tried hockeypuck,
mailvelope, *and* Hagrid. None satisfy as a replacement. COULD they, in
the future? Sure. But none do yet, and as such, saying something like
"What benefits do you have as an SKS operator, to still support such
old and dangerous GnuPG/SKS client-server model, in 2020?" serves as
manipulative, conniving, and naive language. I don't understand why you
care what we run on our own hardware, especially given we don't have any
complete replacements.

>
> Regarding SKS, for example, I have not even seen from it's operators to
> support modern hockeypuck[1] (development) and giving up old SKS code.
>  

Probably because we're operators and not developers.

The SKS code is here, so "giving up" the code is a moot point:
https://bitbucket.org/skskeyserver/sks-keyserver/src/default/

Unless, of course, you mean "replace their deployments" - in which case,
see above.

> Excuse me if I sound like a troll. It is a valid question, because as you
> may know public keys on SKS keyservers can be knocked out or not so nice
> data can be added to them, thus not protecting users key.

That is not how any of the attacks work. At all. A keyserver can be
brought down but that doesn't magically put the integrity of the keys at
risk to tampering. (If it did, you'd have an issue with GnuPG or PGP,
not SKS.) Users' keys are protected just fine.

>
> In 2020 I would assume If I would be interested to run a community service
> I would try to give my best for its users, i.e. trying to protect their
> data (publick key blocks) as best as possible.
>

See above. You have a fundamental misunderstanding of the issues with SKS.


--
brent saner
https://square-r00t.net/
GPG info: https://square-r00t.net/gpg-info


signature.asc (916 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 6 million

Stefan Claas
In reply to this post by Todd Fleisher
Todd Fleisher wrote:

> > On Apr 14, 2020, at 10:29, brent s. <[hidden email]> wrote:
> >
> >> What benefits do you have as an SKS operator, to still support such
> >> old and dangerous GnuPG/SKS client-server model, in 2020?
> >
> > Are you on this list just to troll or do you have anything useful to say?
>
> So much this. Some of us have a legitimate need for what SKS provides that
> can’t be accommodated by the new kids on the block like Hagrid & Mailvelope.
> Neither supports third party signatures and the web of trust. I’ve reached
> out to the Hagrid team about that & peering but  People also seem to still be
> actively using SKS for new & updated keys as well, based on the stats page.

I have talked last year with the Mailvelope guys about other things, but they
are very friendly. And I like to point out that Mailvelope keeps your
Signatures and is probably the most secure key server as of today. The only
thing missing AFAIK is the peering capabilities that SKS has, but I could
imagine if you guys would show your support to the Mailvelope keyserver, the
developemnt team would listen. At least worth a try.

Regards
Stefan

--
Signal (Desktop) +4915172173279
https://keybase.io/stefan_claas
           

Reply | Threaded
Open this post in threaded view
|

Re: 6 million

Stefan Claas
In reply to this post by brent s.
brent s. wrote:

> On 4/14/20 15:17, Stefan Claas wrote:
> > brent s. wrote:

[...]

> > In 2020 I would assume If I would be interested to run a community service
> > I would try to give my best for its users, i.e. trying to protect their
> > data (publick key blocks) as best as possible.
> >
>
> See above. You have a fundamental misunderstanding of the issues with SKS.

Well, we could probably debate until we get blue in the face. I only had a
question as (a former) user of your services and even If I don't understand
the real issues SKS has, I tried to ask why SKS must be operated nowadays.

I do not want to manipulate people('s opinion) and I am fine that you guys
still operate your services, even if I can't understand why.

Regards
Stefan


--
Signal (Desktop) +4915172173279
https://keybase.io/stefan_claas
           

Reply | Threaded
Open this post in threaded view
|

Re: 6 million

Todd Fleisher
In reply to this post by brent s.
On Apr 14, 2020, at 12:35, brent s. <[hidden email]> wrote:

Excuse me if I sound like a troll. It is a valid question, because as you
may know public keys on SKS keyservers can be knocked out or not so nice
data can be added to them, thus not protecting users key.

That is not how any of the attacks work. At all. A keyserver can be
brought down but that doesn't magically put the integrity of the keys at
risk to tampering. (If it did, you'd have an issue with GnuPG or PGP,
not SKS.) Users' keys are protected just fine.

Maybe I’m interpreting it differently, but I think Brent brings up a fair point here. The so-called “posoined keys” with thousands of (bogus) signatures in SKS are rendered useless. This happened to my key last year so now people have to obtain it from other locations outside of SKS. I’m actually glad there are alternate key server environments that help meet this need even if I don’t like other things about said key servers.

On Apr 14, 2020, at 12:46, Stefan Claas <[hidden email]> wrote:

Todd Fleisher wrote:

So much this. Some of us have a legitimate need for what SKS provides that
can’t be accommodated by the new kids on the block like Hagrid & Mailvelope.
Neither supports third party signatures and the web of trust. I’ve reached
out to the Hagrid team about that & peering but  People also seem to still be
actively using SKS for new & updated keys as well, based on the stats page.

I have talked last year with the Mailvelope guys about other things, but they
are very friendly. And I like to point out that Mailvelope keeps your
Signatures and is probably the most secure key server as of today. The only
thing missing AFAIK is the peering capabilities that SKS has, but I could
imagine if you guys would show your support to the Mailvelope keyserver, the
developemnt team would listen. At least worth a try.

That’s good to hear. I’ve heard of Mailvelope, but haven’t really looked at it yet. Their site does specifically say “No Web of Trust” though, so I’m not sure it’s accurate to say they support third party signatures.

However, there are other issues I’m already seeing where people & GPG software packages are moving from SKS to Hagrid. Since the keys exist in both places, but likely will only get updated on the “newer” key server you have to know where to look for their most current key. There’s also Flowcrypt that maintains their own key server, so I’m a little hesitant to say it’s a good thing to add yet another key server to the mix for public consumption.

Finally, I know Hagrid doesn’t support wildcard domain searches. You have to know exactly what email address or GPG key ID you are looking for. This is also currently a show stopper for me as I use that combined with the web of trust to discover and validate keys for multiple domains.

On Apr 14, 2020, at 13:01, Stefan Claas <[hidden email]> wrote:

I do not want to manipulate people('s opinion) and I am fine that you guys
still operate your services, even if I can't understand why.

I think the simplest explanation is because people need and are using it (as seen in these stats from my 2 environments: https://imgur.com/a/cQ2Kr5h). Also, in my experience, it currently doesn’t take much time, effort, or resources on my end to keep it going. It’s certainly less effort leaving it in place than tearing it all down, but the real reason is it serves a useful function.

-T


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 6 million

Stefan Claas
Todd Fleisher wrote:

> > On Apr 14, 2020, at 12:46, Stefan Claas <[hidden email]> wrote:
> >
> > Todd Fleisher wrote:
> >
> >> So much this. Some of us have a legitimate need for what SKS provides that
> >> can’t be accommodated by the new kids on the block like Hagrid &
> >> Mailvelope. Neither supports third party signatures and the web of trust.
> >> I’ve reached out to the Hagrid team about that & peering but  People also
> >> seem to still be actively using SKS for new & updated keys as well, based
> >> on the stats page.
> >
> > I have talked last year with the Mailvelope guys about other things, but
> > they are very friendly. And I like to point out that Mailvelope keeps your
> > Signatures and is probably the most secure key server as of today. The only
> > thing missing AFAIK is the peering capabilities that SKS has, but I could
> > imagine if you guys would show your support to the Mailvelope keyserver, the
> > developemnt team would listen. At least worth a try.
>
> That’s good to hear. I’ve heard of Mailvelope, but haven’t really looked at
> it yet. Their site does specifically say “No Web of Trust” though, so I’m not
> sure it’s accurate to say they support third party signatures.

I don't know why they are saying this, but if you would download my CA certified
public key block from their server, the CA sig3 is on my public key block.

Another thing I like about the Mailvelope keyserver is that when you upload your
public key block, they will send you an encrypted email, with a validation link,
so that your public key block is only available there, once you have confirmed
the link.

Regards
Stefan

--
Signal (Desktop) +4915172173279
https://keybase.io/stefan_claas
           

Reply | Threaded
Open this post in threaded view
|

Re: 6 million

Todd Fleisher
> On Apr 14, 2020, at 14:32, Stefan Claas <[hidden email]> wrote:
>
> I don't know why they are saying this, but if you would download my CA certified
> public key block from their server, the CA sig3 is on my public key block.

If I had to guess, I’d say they allow you to upload your own public key and don’t strip away any third party signatures you may have included in your upload. So if I wanted to sign your key I would have to do so, then send it to you to re-upload and re-confirm before it would be published. While this likely isn’t a big deal for the more tech-savvy folks out there who are already familiar with GPG, others would struggle with or just ignore it and not have any 3rd party signatures.

> Another thing I like about the Mailvelope keyserver is that when you upload your
> public key block, they will send you an encrypted email, with a validation link,
> so that your public key block is only available there, once you have confirmed
> the link.

This is what Hagrid does as well, minus the encrypted email part. And while it does provide a useful privacy/control function, it does increase the complexity (or at least the user touch points) as mentioned above.

-T


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 6 million

Arnold-27
In reply to this post by brent s.
On 14-04-2020 21:35, brent s. wrote:

> On 4/14/20 15:17, Stefan Claas wrote:
>> brent s. wrote:
>>
>>> On 4/14/20 11:00, Stefan Claas wrote:
>>>>
>>>> Why still focusing on a dead project like SKS and not convining the other
>>>> guys from Mailvelope or Hagrid to add peering capabilities?
>>>>
>>>
>>> You do realize one can do both, right?
>>
>> Yes, and I have not seen here from the majority in the past, saying hey lets
>> try out (and switch) or asked the devs.
>
> We can't switch because the "replacements" lack functionality SKS has.

This kind of response killed many discussions we had in the past on this list about
possible solutions for the problems of SKS. We saw the problems coming, sat back,
watched while it happened and many have quit. That just makes me wonder who is the
troll?

Another good argument to end any remaining discussion was to state that the
proposed solution would not prevent the full one hundred percent of problems. So,
we never got to make the first step in hardening SKS to prevent abuse.

These two methods proved to be very effective. If there was one multi-personality
party (government?) bringing up these two arguments (sometimes repeatedly), with
the objective to stall SKS development, then they must be laughing out lout, about
how easy their job has been.


> Until there is a complete replacement for SKS, SKS will continue to be
> operated.

Without stating the 'must have' requirements, but simply stating 'complete', the
functionality causing the problems can never be removed or changed. Even trying to
state the objective of sks-keyservers.net never succeeded, as every operator had
their own objective to operate an SKS server. Therefore, trying to obtain the 'must
have' requirements is a mission impossible by itself.

Just my 2 cents.

Operate whatever software you like.

Kind regards,
   Arnold

Reply | Threaded
Open this post in threaded view
|

Re: 6 million

Stefan Claas
In reply to this post by Todd Fleisher
Todd Fleisher wrote:

> > On Apr 14, 2020, at 14:32, Stefan Claas <[hidden email]> wrote:
> >
> > I don't know why they are saying this, but if you would download my CA
> > certified public key block from their server, the CA sig3 is on my public
> > key block.
>
> If I had to guess, I’d say they allow you to upload your own public key and
> don’t strip away any third party signatures you may have included in your
> upload. So if I wanted to sign your key I would have to do so, then send it
> to you to re-upload and re-confirm before it would be published. While this
> likely isn’t a big deal for the more tech-savvy folks out there who are
> already familiar with GPG, others would struggle with or just ignore it and
> not have any 3rd party signatures.
>
> > Another thing I like about the Mailvelope keyserver is that when you upload
> > your public key block, they will send you an encrypted email, with a
> > validation link, so that your public key block is only available there,
> > once you have confirmed the link.
>
> This is what Hagrid does as well, minus the encrypted email part. And while
> it does provide a useful privacy/control function, it does increase the
> complexity (or at least the user touch points) as mentioned above.

One thing about Mailvelope could also be said. For non-savvy PGP users which
are using the Firefox, or Chrome extension Mailvelope. They do not have a
learning phase with their key server, because the plug-in, which does not
require a GnuPG installation, does those things automatically IIRC, so the
above only would be the case if users are using tools like GnuPG with
Thunderbird and Enigmail etc.

Thus the Mailvelope browser extension is IMHO also a good way for users with
only a free GMail etc. web email account.

Regards
Stefan

--
Signal (Desktop) +4915172173279
https://keybase.io/stefan_claas
           

Reply | Threaded
Open this post in threaded view
|

Re: 6 million

Philihp Busby
In reply to this post by Todd Fleisher
On 2020-04-14T11:05:09-0700 Todd Fleisher <[hidden email]> wrote 6.8K bytes:

> I have spent hardly any time keeping my SKS VMs operational for some time now
> (knock on wood). The last 2 issues I had were some VMs dropping out due to an
> underlying hardware problem unrelated to SKS even. I’ve posted about my
> configuration before on the list back on February 17, 2019 if you or anyone
> else is interested in improving your setup and possibly freeing up your time
> for other things.

I was in a similar position, but he non-zero effort could instead be zero by switching my configs to hkps://keys.openpgp.org and turning off my server. I ran my server as a service to others, but I did not feel it provided any value anymore, as keys.openpgp.org is now the default for a lot of tools.

On 2020-04-14T22:01:23+0200 Stefan Claas <[hidden email]> wrote 0.8K bytes:

> I do not want to manipulate people('s opinion) and I am fine that you guys
> still operate your services, even if I can't understand why.

I share this sentiment.

signature.asc (885 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 6 million

Stefan Claas
In reply to this post by Skip Carter
Skip Carter wrote:

> Today we crossed the 6 million keys mark with 6000194 keys.

Just out of curiousity, I looked at the stats and it says:

Keys added the past 7 days: 2,120
Keys added the past 30 days: 10,142

I wonder why so much uploads in the past? Are SKS key servers
nowadays used for other purposes instead of uploading regular
keys, or do these stats count also updated keys?

And in case those are not regular or updated keys, are there
any good keydump analyzing tools availabe which one can use
for analyzing the freely available key dumps?

Regards
Stefan

--
Signal (Desktop) +4915172173279
https://keybase.io/stefan_claas
           

Reply | Threaded
Open this post in threaded view
|

Re: 6 million

Stefan Claas
Stefan Claas wrote:

> Skip Carter wrote:
>
> > Today we crossed the 6 million keys mark with 6000194 keys.
>
> Just out of curiousity, I looked at the stats and it says:
>
> Keys added the past 7 days: 2,120
> Keys added the past 30 days: 10,142
>
> I wonder why so much uploads in the past? Are SKS key servers
> nowadays used for other purposes instead of uploading regular
> keys, or do these stats count also updated keys?
>
> And in case those are not regular or updated keys, are there
> any good keydump analyzing tools availabe which one can use
> for analyzing the freely available key dumps?

I also ask because when one looks at daily/hourly stats the
time when submitted looks pretty uniformly distributed, which
I would not expect in a global PGP user network.

http://pgpkeysximvxiazm.onion/stats/

Regards
Stefan

--
Signal (Desktop) +4915172173279
https://keybase.io/stefan_claas
           

Reply | Threaded
Open this post in threaded view
|

Re: 6 million

Gabor Kiss
In reply to this post by Stefan Claas
On Fri, 1 May 2020, Stefan Claas wrote:

> And in case those are not regular or updated keys, are there
> any good keydump analyzing tools availabe which one can use
> for analyzing the freely available key dumps?

I would create such a programs from the scratch but I cannot
find even the format description of the dump file. :-(

Gabor
--
A mug of beer, please. Shaken, not stirred.

Reply | Threaded
Open this post in threaded view
|

Re: 6 million

Wiktor Kwapisiewicz
On 02.05.2020 07:55, Gabor Kiss wrote:
> I would create such a programs from the scratch but I cannot
> find even the format description of the dump file. :-(

Last time I checked dumps where just packet piles so any OpenPGP tool
could read it.

I did a small proof-of-concept some time ago to read signature notations
from dumps and it worked really well:

https://gitlab.com/wiktor-k/pickaxe

Kind regards,
Wiktor

--
https://metacode.biz/@wiktor

Reply | Threaded
Open this post in threaded view
|

Re: 6 million

Gabor Kiss
On Sat, 2 May 2020, Wiktor Kwapisiewicz wrote:

> Last time I checked dumps where just packet piles so any OpenPGP tool
> could read it.

Oh! RFC-4880. Thanks! :-)

Gabor