Language Selection

English French German Italian Portuguese Spanish

Michał Górny (Gentoo) and Daniel Kahn Gillmor (Debian) on OpenPGP Security

Filed under
GNU
Linux
Gentoo
Security
Debian
  • Michał Górny: SKS poisoning, keys.openpgp.org / Hagrid and other non-solutions

    The recent key poisoning attack on SKS keyservers shook the world of OpenPGP. While this isn’t a new problem, it has not been exploited on this scale before. The attackers have proved how easy it is to poison commonly used keys on the keyservers and effectively render GnuPG unusably slow. A renewed discussion on improving keyservers has started as a result. It also forced Gentoo to employ countermeasures. You can read more on them in the ‘Impact of SKS keyserver poisoning on Gentoo’ news item.

    Coicidentally, the attack happened shortly after the launch of keys.openpgp.org, that advertises itself as both poisoning-resistant and GDPR-friendly keyserver. Naturally, many users see it as the ultimate solution to the issues with SKS. I’m afraid I have to disagree — in my opinion, this keyserver does not solve any problems, it merely cripples OpenPGP in order to avoid being affected by them, and harms its security in the process.

    In this article, I’d like to shortly explain what the problem is, and which of the different solutions proposed so far to it (e.g. on gnupg-users mailing list) make sense, and which make things even worse. Naturally, I will also cover the new Hagrid keyserver as one of the glorified non-solutions.

  • Daniel Kahn Gillmor: WKD for debian.org

    By default, this will show you any matching certificate that you already have in your GnuPG local keyring. But if you don't have a matching certificate already, it will fall back to using WKD.

    These certificates are extracted from the debian keyring and published at https://openpgpkey.debian.org/.well-known/debian.org/, as defined in the WKD spec. We intend to keep them up-to-date when ever the keyring-maint team publishes a new batch of certificates. Our tooling uses some repeated invocations of gpg to extract and build the published tree of files.

    Debian is current not implementing the Web Key Directory Update Protocol (and we have no plans to do so). If you are a Debian developer and you want your OpenPGP certificate updated in WKD, please follow the normal procedures for Debian keyring maintenance like you always have.

More in Tux Machines

Videos/Audiocasts/Shows: System76 Serval WS, Linux Headlines, FLOSS Weekly and LCARS System 47 Screensaver on Linux

  • System76 Serval WS Workstation Laptop Full Review

    The System76 Serval WS laptop is crazy powerful, with a desktop CPU and a powerful Nvidia video card. In this review, I show off the hardware, weigh the pros and cons, and give my overall thoughts.

  • 2020-01-22 | Linux Headlines

    Major improvements come to Wine, Debian makes a significant change post systemd debate, and the world’s most popular open source API gateway gets an update.

  • FLOSS Weekly 563: Apprentice Program

    The Apprentice Program is an initiative to train and mentor female junior developers in open source, creating a pipeline of talent and changing the ratio in tech.

  • LCARS System 47 Screensaver on Linux | Install and Service Creation

    This video goes over the infamous LCARS System 47 Screensaver on Linux. You have seen it in my background and now I show how to use an old 90s screensaver scr file on Linux. I then show how to make a systemd service to activate the screensaver when you are idle for a set amount of time.

GNU Parallel 20200122 ('Soleimani') released

GNU Parallel 20200122 ('Soleimani') has been released. It is available for download at: http://ftpmirror.gnu.org/parallel/ GNU Parallel is 10 years old next year on 2020-04-22. You are here by invited to a reception on Friday 2020-04-17. See https://www.gnu.org/software/parallel/10-years-anniversary.html Quote of the month: GNU parallel is straight up incredible. -- Ben Johnson @biobenkj@twtter New in this release: --blocktimeout dur - Time out for reading block when using --pipe. If it takes longer than dur to read a full block, use the partial block read so far. Bug fixes and man page updates. News about GNU Parallel: GNU Parallel course in Copenhagen https://www.prosa.dk/nc/arrangementer/arrangement/gnu-parallel-med-ole-tange/ GNU Parallel course in Århus https://www.prosa.dk/nc/arrangementer/arrangement/gnu-parallel-og-parallelisering-i-unix-shellen/ GNU Parallel pour accélérer vos process sous Linux https://www.yvonh.com/gnu-parallel-pour-accelerer-vos-process-sous-linux/ How to copy a file to multiple directories in Linux https://net2.com/how-to-copy-a-file-to-multiple-directories-in-linux/ Running linux commands in parallel https://dev.to/voyeg3r/runing-linux-commands-in-parallel-4ff8 Get the book: GNU Parallel 2018 http://www.lulu.com/shop/ole-tange/gnu-parallel-2018/paperback/product-23558902.html GNU Parallel - For people who live life in the parallel lane. Read more

today's howtos

Android Leftovers