Deployment question about non-public server with oneway feed

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Deployment question about non-public server with oneway feed

Steffen Kaiser
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I have been asked to setup a local PGP key distribution, because some
attendees are concered about SPAM harvesting and other things. One
condition is to support WKD and a key server, because some clients use a
key server only.

Because most client software cannot query multiple key servers, I thought
about a proxy, that merges the results of one local and one SKS server
first, but found none.

So I guess my only option is to setup a SKS server and:

1) ask, if someone would feed me oneway with updates, and
2) synchronize local uploads between WKD and this server.

I installed a test machine and verified, that I can sync WKD and the
database of the SKS server both ways.

But: is this a valid setup? Would somebody recommend something different?

Is it possible to setup a oneway SKS update feed?

Kind regards,

- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBWzONRSOjcd6avHZPAQJWRgf/b6lARpIcZHNaVClFd1gi7DuYLNpb4AQl
YNMZdVnKoe26zbmFCGQvFOdb36aC4/Zb2JD/T3fgFDH9Am64xMEhc9jld6OOA3qz
xkITKpk+qQU7TaX9lh32nyWjaEFTL6aAvk0DY3XjVU03An3ZaQZ3IAKKvsV2m+8S
oBxcKxdzVKCR/z3ncZNjbOptcgcuXwX4Z5rsjaRp9MT3Q1hll0wpTu7CdZS/ZT+I
jxE1AQGlLI8RCNu3Qw38/bM9yIiF+4pnEKAYBCffi2JKUMEUbMEEUHIn/BfL/nSq
knK5ND7C6a9UtV861efTV8IQUcXwZo0vypk55rzmfuQrSSf3nn/BHA==
=2JxT
-----END PGP SIGNATURE-----

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: Deployment question about non-public server with oneway feed

Hendrik Grewe
This Setup reminds me of a recently asked question on this ML:

http://lists.nongnu.org/archive/html/sks-devel/2018-06/msg00032.html

hope this helps

Hendrik

Am 27.06.2018 um 15:12 schrieb Steffen Kaiser:

> Hi,
>
> I have been asked to setup a local PGP key distribution, because some
> attendees are concered about SPAM harvesting and other things. One
> condition is to support WKD and a key server, because some clients use a
> key server only.
>
> Because most client software cannot query multiple key servers, I
> thought about a proxy, that merges the results of one local and one SKS
> server first, but found none.
>
> So I guess my only option is to setup a SKS server and:
>
> 1) ask, if someone would feed me oneway with updates, and
> 2) synchronize local uploads between WKD and this server.
>
> I installed a test machine and verified, that I can sync WKD and the
> database of the SKS server both ways.
>
> But: is this a valid setup? Would somebody recommend something different?
>
> Is it possible to setup a oneway SKS update feed?
>
> Kind regards,
>
> -- Steffen Kaiser
>
> _______________________________________________
> Sks-devel mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/sks-devel
--
_____________________________________________________________________
Hendrik Grewe                            [hidden email]
Public PGP-Key                           http://mypgpkey.b4ckbone.org
PGP-Fingerprint     B8D6 0D8C F5A9 410A 8077 66AE CF08 65D2 0A09 6F7B

PGP-encrypted mails are welcome!
_____________________________________________________________________



_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (949 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Deployment question about non-public server with oneway feed

Steffen Kaiser
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 27 Jun 2018, Hendrik Grewe wrote:

> This Setup reminds me of a recently asked question on this ML:
>
> http://lists.nongnu.org/archive/html/sks-devel/2018-06/msg00032.html
>
> hope this helps

yes, http://lists.nongnu.org/archive/html/sks-devel/2018-06/msg00041.html 
states that: "Unless recon is enabled in both directions, the key delta
will inevitably grow to the point that recon will fail."

That means, recon / gossip is not possible and updates via email is the
only option left.

I don't know if I like the idea to start from scratch regularily, also
mentioned in the thread. So I would pull the complete database once a
week, add the local changes and swap the servers.

Thanks,

> Am 27.06.2018 um 15:12 schrieb Steffen Kaiser:
>> Hi,
>>
>> I have been asked to setup a local PGP key distribution, because some
>> attendees are concered about SPAM harvesting and other things. One
>> condition is to support WKD and a key server, because some clients use a
>> key server only.
>>
>> Because most client software cannot query multiple key servers, I
>> thought about a proxy, that merges the results of one local and one SKS
>> server first, but found none.
>>
>> So I guess my only option is to setup a SKS server and:
>>
>> 1) ask, if someone would feed me oneway with updates, and
>> 2) synchronize local uploads between WKD and this server.
>>
>> I installed a test machine and verified, that I can sync WKD and the
>> database of the SKS server both ways.
>>
>> But: is this a valid setup? Would somebody recommend something different?
>>
>> Is it possible to setup a oneway SKS update feed?
>>
>> Kind regards,
>>
>> -- Steffen Kaiser
>>
>> _______________________________________________
>> Sks-devel mailing list
>> [hidden email]
>> https://lists.nongnu.org/mailman/listinfo/sks-devel
>
>

- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBWzOgjCOjcd6avHZPAQL5LQf+O1J9ZD8Pq+ZROCgPsdCqqqIIw2PtaJB2
yX006tcep+F/uLrXTg3C3rcVr3qIAJLzPL8p7a9acQvdC6yOfMCZx0gfbkoBEr34
q3MNmH6FWYqwuYfR1aBGGtSoROL6/9Ksgnb1fq8Ta3js9KHC+CRVxffgV3VO3/Dd
Vb8zAGlYcizmSSn6uJL9RXOzp3AZ3bQA/eV6n47KehKMnAPV9+84XyVKTdB51FlO
XrxTOgwLQyafSNVsuLIsGZIYBUFIYHCpQ4jbWxdSQLRGGAwykrbTB/MxaMpFH2Th
bJKYMVoh+fUAjcen6edV9WXcgjyIRBcdJ9JrXtHQdKyHujTVlLGLtg==
=jiKn
-----END PGP SIGNATURE-----

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: Deployment question about non-public server with oneway feed

Steffen Kaiser
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 27 Jun 2018, Steffen Kaiser wrote:

> On Wed, 27 Jun 2018, Hendrik Grewe wrote:
>
>> This Setup reminds me of a recently asked question on this ML:
>>
>> http://lists.nongnu.org/archive/html/sks-devel/2018-06/msg00032.html
>>
>> hope this helps
>
> yes, http://lists.nongnu.org/archive/html/sks-devel/2018-06/msg00041.html
> states that: "Unless recon is enabled in both directions, the key delta
> will inevitably grow to the point that recon will fail."
>
> That means, recon / gossip is not possible and updates via email is the
> only option left.

for the archive:

email updates don't work as well. I set up three systems with a SKS system
each:

+ system A and system B are configured to gossip with each other, thus,
simulating the normal outside SKS peers / SKS cloud,
+ system C is my local installation, that must not talk to the outside,&
+ system B sync's via mail to system C (oneway).

If I upload a key to system B, it is sync'ed to C. If I upload a key to
system A, it is sync'ed to B, but not forwared to C. So, mailsync is out
as well.

Thanks,

>> Am 27.06.2018 um 15:12 schrieb Steffen Kaiser:
>>> Hi,
>>>
>>> I have been asked to setup a local PGP key distribution, because some
>>> attendees are concered about SPAM harvesting and other things. One
>>> condition is to support WKD and a key server, because some clients use a
>>> key server only.
>>>
>>> Because most client software cannot query multiple key servers, I
>>> thought about a proxy, that merges the results of one local and one SKS
>>> server first, but found none.
>>>
>>> So I guess my only option is to setup a SKS server and:
>>>
>>> 1) ask, if someone would feed me oneway with updates, and
>>> 2) synchronize local uploads between WKD and this server.
>>>
>>> I installed a test machine and verified, that I can sync WKD and the
>>> database of the SKS server both ways.
>>>
>>> But: is this a valid setup? Would somebody recommend something different?
>>>
>>> Is it possible to setup a oneway SKS update feed?
>>>
>>> Kind regards,
>>>
>>> -- Steffen Kaiser
>>>
>>> _______________________________________________
>>> Sks-devel mailing list
>>> [hidden email]
>>> https://lists.nongnu.org/mailman/listinfo/sks-devel
>>
>>
>
> --
> Steffen Kaiser
> ---------------Output of GPG------------------
> gpg: Signature made Wed 27 Jun 2018 04:34:52 PM CEST using RSA key ID
> 9ABC764F
> gpg: Good signature from "Steffen Kaiser <[hidden email]>"
>
> _______________________________________________
> Sks-devel mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/sks-devel
>

- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBWzSnDSOjcd6avHZPAQL8Lgf/TpXyN1eUiC4Dj7bkWDDx4/AM4qWSgPdX
0LHZEelYCsocOjn9QAbAQYxXU37vzeAG5VlWavLZ0TME61mgV5q3fGQkpoHFOInc
cLAGBSD+31C+nh4qDAvW126Z66HsOVbJa/fIzVU8aGhe08j2QL8xyRXmhO/sJo4s
2iv33NOYTbW/4wqcjNV/MIy8zx2yrpPf/3rAhUoGYjIuSEmQLR4V0LEqfQjRqh8z
CaF4Y0xW+wfgimU0ylK3J6Dh9FYkaXa3j4e+bQNvBaZEFxQNEPZir+qE/YIr5lrd
h5tbxCtTGeRF6bFgLV5jxVAf8JSDIHa79S78Ixbd2XlZV8i8yGgwhg==
=+2QM
-----END PGP SIGNATURE-----

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: Deployment question about non-public server with oneway feed

H Visage


On 28 Jun 2018, at 11:14 , Steffen Kaiser <[hidden email]> wrote:

On Wed, 27 Jun 2018, Steffen Kaiser wrote:

> On Wed, 27 Jun 2018, Hendrik Grewe wrote:
>
>> This Setup reminds me of a recently asked question on this ML:
>>
>> http://lists.nongnu.org/archive/html/sks-devel/2018-06/msg00032.html
>>
>> hope this helps
>
> yes, http://lists.nongnu.org/archive/html/sks-devel/2018-06/msg00041.html
> states that: "Unless recon is enabled in both directions, the key delta
> will inevitably grow to the point that recon will fail."
>
> That means, recon / gossip is not possible and updates via email is the
> only option left.

for the archive:

email updates don't work as well. I set up three systems with a SKS system
each:

+ system A and system B are configured to gossip with each other, thus,
simulating the normal outside SKS peers / SKS cloud,
+ system C is my local installation, that must not talk to the outside,&
+ system B sync's via mail to system C (oneway).

If I upload a key to system B, it is sync'ed to C. If I upload a key to
system A, it is sync'ed to B, but not forwared to C. So, mailsync is out
as well.


I also got the feeling that the mailsync was meant for when a  key is *directly* uploaded to a server, it is emailed out, not when it receives keys via the recon/whisper partners (Else every one will sent out emails with each and every sync, ie. >100mails/days…)

I think the (wish list) option to have a 1-way sync setting, ie. Any and all keys you receive, you forward in that direction, no matter whether that server have the key or not, ie. no-recon/whisper, just: “I’ve received this key, here it is”

---
Hendrik Visage
HeViS.Co Systems Pty Ltd
T/A Envisage Systems / Envisage Cloud Solutions
+27-84-612-5345 or +27-21-945-1192
[hidden email]




_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (499 bytes) Download Attachment