Re: Check your signing key expiration dates!

To: debian-user@lists.debian.org
Subject: Re: Check your signing key expiration dates!
From: Teemu Likonen <tlikonen@iki.fi>
Date: Mon, 08 Jul 2019 11:10:41 +0300
Message-id: <[🔎] 87bly5djzy.fsf@iki.fi>
In-reply-to: <[🔎] 20190708072859.tdcxv2wypermpqvi@localhost> (Andrei POPESCU's message of "Mon, 8 Jul 2019 10:28:59 +0300")
References: <[🔎] 20190707170335.h27hiuk5zoutkxbd@n0nb.us> <[🔎] 87y319ydai.fsf@iki.fi> <[🔎] 20190707173123.zanelmy3sqnfkvoz@localhost> <[🔎] 87muhpyath.fsf@iki.fi> <[🔎] 20190708072859.tdcxv2wypermpqvi@localhost>

Andrei POPESCU [2019-07-08T10:28:59+03] wrote:

> What would be the alternative to SKS keyservers?

Not "the" alternative but keyserver-wise there is
<https://keys.openpgp.org/> which I mentioned and which uses different
software. There are also other key delivery methods like WKD or just
publish your key somewhere in the net.

>> If you happen to download a huge poisoned key from an SKS keyserver
>> the above mentioned options protect your local keyring from getting
>> unknown key signatures. The checking can take some time, though.
>
> As in processing or downloading time? My systems are quite low powered 
> (fanless).

Mostly processing time as "keyserver-option import-clean" has to check
every key signature of the downloaded key against the local keyring.
Anyway, that option should be enabled if you use SKS keyservers and
don't want to import huge spammed keys to your local keyring.

>> There is also <https://keys.openpgp.org>, a keyserver which doesn't
>> distribute third-party signatures at all.
>
> If my understanding is correct it enables only a very limited use-case
> (download keys to be able to check signatures).
>
> One still has to publish keys with signatures somehow...

keys.openpgp.org doesn't distribute third-party signatures. That's one
way to prevent key signature spamming. Usually third-party key
signatures (web of trust) are useful only within a specific project or
other group of people who can verify each other's keys. If one's circles
are small they can just export and send key to their friends. An
established community can deliver keys through their mailing list, file
storage, web site or WKD service.

SKS keyservers are handy but because they are spammable (and are being
spammed) some people are starting to move elsewhere. For example, in
this discussion we realized that Debian developer Donald Norwood's (who
signed Debian 10 release announcement) updated key wasn't found in the
SKS keyservers but debian.org's WKD service returns more up-to-date key.

I can see that this is happening: SKS keyservers will not be used as
actively anymore and we can't get everything from there. There will be
other keyserver implementations and other key delivery methods which
have more restrictive settings so that key signature spamming won't be
as easy.

-- 
///  OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450
//  https://keys.openpgp.org/search?q=tlikonen@iki.fi
/  https://keybase.io/tlikonen  https://github.com/tlikonen

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Check your signing key expiration dates!
  - From: Nate Bargmann <n0nb@n0nb.us>
- Re: Check your signing key expiration dates!
  - From: Teemu Likonen <tlikonen@iki.fi>
- Re: Check your signing key expiration dates!
  - From: Andrei POPESCU <andreimpopescu@gmail.com>
- Re: Check your signing key expiration dates!
  - From: Teemu Likonen <tlikonen@iki.fi>
- Re: Check your signing key expiration dates!
  - From: Andrei POPESCU <andreimpopescu@gmail.com>

Prev by Date: Re: How Buster release may affect Unstable?
Next by Date: Re: will Release come back for testing/updates at security.debian.org?
Previous by thread: Re: Check your signing key expiration dates!
Next by thread: Re: Check your signing key expiration dates!
Index(es):
- Date
- Thread