Are SKS keyservers safe? Do we need them?

mailing list response

We’re one illicit-material-in-photo-uid incedent away from global shutdown.

http://www.openwall.com/lists/oss-security/2017/12/10/1

I first interacted with Kristian while setting up my keyserver a few years back. I wanted to join the HKPS pool, as I had configured HKPS to allow users secure HKP access over TLS, but couldn’t find a way to do so. I reached out to Kristian (who runs all of the pools) and he basically told me he didn’t recognize me and to come back when more people signed my personal key. He seemed very blunt, and I couldn’t understand why he would turn away free resources until I got random people to say they verified my identity. I believe in GPG, but any idiot can blindly participate in a key signing party. The strong set feels more like security theater than a valid vetting process.

Seeing the GDPR concerns and SKS vulnerabilities on the mailing list has resulted in a very polarizing environment. I’ve been running a keyserver for a few years and the mailing list has always seemed a a bit rough around the edges. People are friendly enough when you request peers for a proper setup, but as a new user I’d be scared of being reprimanded for something I miss-configured rather than be offered help. When dealing with these recent concerns, half of the people on the list seem to be angry that any of this is happening while the other half want to make everything compliant and protect against the discovered exploits. It’s a shame, considering the reasonable people pushing to have the flaws dealt with are faced with so much opposition. The developers have been silent so far, not even a “we’re looking into it” as far as I have seen. It doesn’t say a lot for the future of SKS, or the longevity of the current pools while more admins drop off amidst concerns.

programmer creates duplicate keys
Denial of service attack

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store