Language Selection

English French German Italian Portuguese Spanish

Michał Górny (Gentoo) and Daniel Kahn Gillmor (Debian) on OpenPGP Security

Filed under
GNU
Linux
Gentoo
Security
Debian
  • Michał Górny: SKS poisoning, keys.openpgp.org / Hagrid and other non-solutions

    The recent key poisoning attack on SKS keyservers shook the world of OpenPGP. While this isn’t a new problem, it has not been exploited on this scale before. The attackers have proved how easy it is to poison commonly used keys on the keyservers and effectively render GnuPG unusably slow. A renewed discussion on improving keyservers has started as a result. It also forced Gentoo to employ countermeasures. You can read more on them in the ‘Impact of SKS keyserver poisoning on Gentoo’ news item.

    Coicidentally, the attack happened shortly after the launch of keys.openpgp.org, that advertises itself as both poisoning-resistant and GDPR-friendly keyserver. Naturally, many users see it as the ultimate solution to the issues with SKS. I’m afraid I have to disagree — in my opinion, this keyserver does not solve any problems, it merely cripples OpenPGP in order to avoid being affected by them, and harms its security in the process.

    In this article, I’d like to shortly explain what the problem is, and which of the different solutions proposed so far to it (e.g. on gnupg-users mailing list) make sense, and which make things even worse. Naturally, I will also cover the new Hagrid keyserver as one of the glorified non-solutions.

  • Daniel Kahn Gillmor: WKD for debian.org

    By default, this will show you any matching certificate that you already have in your GnuPG local keyring. But if you don't have a matching certificate already, it will fall back to using WKD.

    These certificates are extracted from the debian keyring and published at https://openpgpkey.debian.org/.well-known/debian.org/, as defined in the WKD spec. We intend to keep them up-to-date when ever the keyring-maint team publishes a new batch of certificates. Our tooling uses some repeated invocations of gpg to extract and build the published tree of files.

    Debian is current not implementing the Web Key Directory Update Protocol (and we have no plans to do so). If you are a Debian developer and you want your OpenPGP certificate updated in WKD, please follow the normal procedures for Debian keyring maintenance like you always have.

More in Tux Machines

Android Leftovers

Manage knowledge with BlueSpice, an open source alternative to Confluence

Knowledge management is a key to success in modern enterprises—but it is not exactly easy to achieve. Keeping track of all relevant details across all employees is a huge challenge, especially in agile environments, which most companies say they are. Most companies resort to buying wiki-like solutions, such as Confluence from Atlassian, which exposes them to the lock-in effect of proprietary software. But many would do well to consider BlueSpice, an open source alternative to Atlassian Confluence that has a noble ancestry: it's based on Wikipedia's MediaWiki. Read more

How to Contribute to the Fight Against COVID-19 With Your Linux System

Want to contribute to the research on coronavirus? You don’t necessarily have to be a scientist for this. You may contribute with part of your computer’s computing power thanks to Rosetta@home project. Read more

Raspberry Pi 4 as Desktop Computer: Is It Really Viable?

There’s little doubt that the Raspberry Pi 4 is significantly more powerful than its predecessors. Its based on the faster ARM Cortex-A72 microarchitecture and has four cores pegged at marginally-higher clock speeds. The graphics subsystem is significantly beefed up as well, running at twice the maximum stock clocks as the outgoing model. Everything about it makes it a viable desktop replacement. But is it really good enough to replace your trusty old desktop? I spent three weeks with the 8GB version of the Pi 4 to answer that million-dollar question. Read more