[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Wotsap (Was: sks in read-only mode?)
From: |
Linus Lüssing |
Subject: |
Re: [Sks-devel] Wotsap (Was: sks in read-only mode?) |
Date: |
Wed, 2 Nov 2011 11:15:02 +0100 |
User-agent: |
Mutt/1.5.20 (2009-06-14) |
Hi Kim Minh, hi Gabor,
On Wed, Nov 02, 2011 at 09:22:49AM +0100, Kiss Gabor (Bitman) wrote:
> > I'm actually mostly interested in creating one local database from
> > various key servers which I could use for wotsap. And to achieve
> > this, I wouldn't need any bidirectional peering, just
> > read-only access / unidirectional syncing would be fine for me,
> > right?
>
> Hi Linus,
>
> Do you plan a public service?
> It would be extreme useful because both pathfinders I know (*)
> use database of Swiss OpenPGP Keyserver (http://opks.keyserver.ch:11371/pks/)
> that is out of sync since several months (or even a year).
> Its status page says: database is corrupted.
Yeah. Hmm, I noticed that with the latest wotsapdb file from the wotsap
homepage I was seeing less trust paths than with pgp.cs.uu.nl. So
my intention was to build such a wotsapd file myself and to check
trust paths on my own without having to trust someone else.
I didn't plan to make that service publicly so far, that's why I
was asking whether there is something like a read-only mode for
sks. So that no one would have to trust me, so that I wouldn't
have to register my private keyserver anywhere. But still could
basically have a synced mirror of the current pki system though.
Anyway, if there is some interest in having another keyserver in
the whole system, I could probably set one up on a machine (not in
the datacenter though) in my university and let the according ports
be opened by the sysadmins. Are there any requirements for
availability?
Also I think I'm seeing a couple more issues with wotsap to
actually be useful for verifying the trust paths with it automatically
(maybe I'm wrong with some points though, just started looking at
it):
* wotsap does not use gpg to actually verify the signatures within
the wotsapd file? (does sks check signatures before accepting
them?)
* wotsap does not check trust signatures. And checking normal
signatures for verifying a trust path does not really make sense
to me (if I verify the ID of and sign person x with a normal
signature, then this doesn't mean that I think that the
signatures x makes are ok, as I probably might not even know
that person)
* wotsap does not allow merging two wotsapdb files. So if I were
able to verify and only have verified signatures within a
wotsapd file, that if someone were somehow manipulating a / my
pks or a public wotsapd file to have less signatures, that I
could consult multiple sources then to make such an attack
pretty much impossible.
Cheers, Linus
>
> Regards
>
> Gabor
>
> * http://www.lysator.liu.se/~jc/wotsap/
> http://pgp.cs.uu.nl/
> --
> Wenn ist das Nunstück git und Slotermeyer?
> Ja! ... Beiherhund das Oder die Flipperwaldt gersput.
>