sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Keyserver] Hockeypuck 2.1.0 released

From: Casey Marshall
Subject: Re: [Keyserver] Hockeypuck 2.1.0 released
Date: Mon, 14 Dec 2020 10:21:03 -0600
Date: Fri, 11 Dec 2020 17:56:24 +0000
From: Stefan Claas <spam.trap.mailing.lists@gmail.com>
To: Casey Marshall via Gnupg-users <gnupg-users@gnupg.org>,
        sks-devel@nongnu.org, Casey Marshall <casey.marshall@gmail.com>
Subject: Re: [Keyserver] Hockeypuck 2.1.0 released
Message-ID:
        <CAC6FiZ6EPR-eUD0AzMCVz7m4c9Hxga1iSfG7jSC2HXwsOvFmWA@mail.gmail.com" target="_blank">CAC6FiZ6EPR-eUD0AzMCVz7m4c9Hxga1iSfG7jSC2HXwsOvFmWA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
On Fri, Dec 11, 2020 at 10:25 AM Werner Koch <wk@gnupg.org> wrote:
>
> On Thu, 10 Dec 2020 11:07, Casey Marshall said:
>
> >    - Authenticated key management. This adds a couple of extra endpoints
> >    which allow a key owner to replace and delete their key, authenticated by
> >    signing the armored key in the request. This allows a key owner to still
> >    update their own key once it has been inflated beyond the key
>
> Finally after more than 20 years waiting for someone to implement such a
> feature.  Yeah.  Where can I find the specs?
>
> Did you consider that an authenticated request to delete a key may not
> actually remove the key from the keyserver?  Instead the the primary key
> should be kept and the server prepared to receive and merge even
> unauthenticated revocation certificates.  This is important in case of a
> lost key (or passphrase forgotten) so that a pre-created revocation
> certificate can be uploaded.  Also avoids DoS after a key compromise.
Hi Werner and Casey,
I have a question for both of you.
When I reported a while ago on GitHub about a fake uat packet on Werner's
key you quickly fixed the issue and the added image of 'Donnie' no longer
showed up at the Ubuntu keyserver. Interestingly now GitHub shows zero
issues as of today, while yesterday still some issues where open and a lot
of them closed.

Hockeypuck has several issues still open on Github: https://github.com/hockeypuck/hockeypuck/issues
 
Now my second question how is/was this done with Werner's key?
SKS still shows Werner's key with signatures, while the Ubuntu keyserver
shows only a very small key now. Before that the Ubuntu key server showed
the sigs too and additionally the fake uat packet (Donnie image).
Does this mean that a GnuPG user can modify his key in such a way
and re-submit it, so that the result is now like Werner's key or can a
Hockerpuck operator do this (on behalf) of the key owner? The key
in question, on the Ubuntu keyserver has also no longer a UID, which
I thought only sequoia-pgp can handle and not GnuPG.
https://keyserver.ubuntu.com/pks/lookup?search=0x7b96d396e6471601754be4db53b620d01ce0c630&fingerprint=on&op=vindex
http://keys2.andreas-puls.de:11371/pks/lookup?search=0x7b96d396e6471601754be4db53b620d01ce0c630&fingerprint=on&op=vindex

The fix to this issue was to have Hockeypuck remove all packets lacking a currently-valid self-signature from responses. This removes fake packets (like the uat example) as well as expired identities. The self-signature on the UID packet in your example expired 2008-12-31, so it (and all of its third-party signatures) are pruned from the response. Only the public key packet remains.


Regards
Stefan
reply via email to
[Prev in Thread] Current Thread [Next in Thread]