Re: [Sks-devel] Changes to sks-keyservers.net pools

[Jeremy T. Bouse]

On 05/06/2014 05:08 AM, Kristian Fiskerstrand wrote:
> Dear lists,
> 
> Following the release of SKS 1.1.5[0] the following changes will be
> made to the pools of sks-keyservers.net
> 
> subset.pool.sks-keyservers.net has been set to a minimum requirement
> of SKS 1.1.5 with immediate effect.
> 
> Due to CVE-2014-3207[1] I want to bump hkps.pool.sks-keyservers.net to
> a requirement of 1.1.5 as this can potentially be in another security
> context / zone, however I'm giving this a grace period of (at least)
> 45-60 days to allow server administrators to upgrade their servers.
> 
> I'm not making any changes to the main pool at this point.
> 
> References:
> [0] http://lists.nongnu.org/archive/html/sks-devel/2014-05/msg00026.html
> [1] http://www.openwall.com/lists/oss-security/2014/05/01/16
> 

Might I suggest that there be some time given for servers to be upgraded
before making this change? My servers run a stable baseline distro but I
deploy SKS via backported packaging which hasn't been upgraded and I'm
not going to compromise my system and run hand rolled source deployments
as all my servers are managed via Puppet. I don't know about other
admins but I only deploy software packages and is automated to maintain
consistency and remove human error. My server will be remaining at 1.1.4
until the backported package is available to be deployed at which time
I'll be able to update the deployed version in my config management and
they'll be upgraded.

XX: This is not being signed as I don't have my smartcard with my key on
it with me today.