On 08/19/2010 03:14 AM, Gaudenz Steinlin wrote:
> At least in theory a round robin dns name for all hkps enabled key
> servers would be possible. You just need someone trusted by most users
> to certify that your server is part of the pool. Most CAs (including
> CA-Cert) won't issue more than one certificate per name, though.
>
> Could this be solved by using monkeysphere?
Yup, monkeysphere could definitely be helpful here, but there are some
odd corner cases that would need to be ironed out.
One nice feature of gnupg's architecture is that we can create a
key-fetching backend binary and drop it into
/usr/lib/gnupg/gpgkeys_${FOO} , referencing it with --keyserver
${FOO}://ks.example.net
An hkps pool that included certification by some reasonable certifiers
would be a nice thing, and just needs us to write the a backend that
uses monkeysphere to do the validation of the hkps transactions.
This kind of pool does introduce an opportunity for violation of
expections of confidentiality and/or integrity, though: in particular
the keyserver user must rely on the certifiers (who should probably be
the same entities as the pool maintainers) to include only keyserver
operators who will adhere to a specific code of conduct (e.g. not
logging queries, regular syncing, etc)
--dkg
Attachment:
signature.asc
Description: OpenPGP digital signature