On 08/19/2010 03:14 AM, Gaudenz Steinlin wrote: > At least in theory a round robin dns name for all hkps enabled key > servers would be possible. You just need someone trusted by most users > to certify that your server is part of the pool. Most CAs (including > CA-Cert) won't issue more than one certificate per name, though. > > Could this be solved by using monkeysphere? Yup, monkeysphere could definitely be helpful here, but there are some odd corner cases that would need to be ironed out. One nice feature of gnupg's architecture is that we can create a key-fetching backend binary and drop it into /usr/lib/gnupg/gpgkeys_${FOO} , referencing it with --keyserver ${FOO}://ks.example.net An hkps pool that included certification by some reasonable certifiers would be a nice thing, and just needs us to write the a backend that uses monkeysphere to do the validation of the hkps transactions. This kind of pool does introduce an opportunity for violation of expections of confidentiality and/or integrity, though: in particular the keyserver user must rely on the certifiers (who should probably be the same entities as the pool maintainers) to include only keyserver operators who will adhere to a specific code of conduct (e.g. not logging queries, regular syncing, etc) --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature