oss-sec mailing list archives
Re: 0xdeadbeef comes of age: making keysteak with GnuPG
From: David Leon Gil <coruus () gmail com>
Date: Fri, 10 Oct 2014 12:01:52 -0400
On Fri, Oct 10, 2014 at 11:47 AM, Daniel Kahn Gillmor <dkg () fifthhorseman net> wrote:
If we're going to advocate for accessing keyservers via https (which i think is a lovely idea, even if it doesn't mitigate all possible attacks), it's worth advocating for the well-curated hkps.pool.sks-keyservers.net [0], rather than encouraging everyone to flood either https://keybase.io or https://pgp.mit.edu with traffic.
My problem with the HKPS pool is that I don't know Kristian.[1] And I don't have any reason to believe that he'd suffer serious financial damage if the private key for the "sks-keyservers.net CA" got used maliciously.[2] (While I know that if a root CA were caught intentionally issuing an MitM cert for keybase.io or pgp.mit.edu would face likely delisting/bankruptcy.) I'd be really happy if Kristian published a GPG-signed log of every valid certificate for servers in the HKPS pool; then it would be possible for the distrustful -- or targeted -- to, say, query multiple HKPS keyservers. This is even better than trusting Root CAs + Kristian.[3]) [1] Most hkps.pool.sks-keyservers.net don't have an alternative trust path to a standard root CA. [2] This is different from saying that I think he *would intentionally* sign a malicious cert, which I don't. I just have no idea how secure the private key for that CA is. And I know that a fully isolated, physically secure facility, and a good HSM are really expensive. (But maybe he is doing this?) [3] If this is already available somewhere, apologies; I haven't managed to find anything like it.
Current thread:
- 0xdeadbeef comes of age: making keysteak with GnuPG David Leon Gil (Oct 10)
- Re: 0xdeadbeef comes of age: making keysteak with GnuPG Daniel Kahn Gillmor (Oct 10)
- Re: 0xdeadbeef comes of age: making keysteak with GnuPG David Leon Gil (Oct 10)
- Re: 0xdeadbeef comes of age: making keysteak with GnuPG Daniel Kahn Gillmor (Oct 10)
- Re: Re: 0xdeadbeef comes of age: making keysteak with GnuPG Daniel Kahn Gillmor (Oct 10)
- Re: Re: 0xdeadbeef comes of age: making keysteak with GnuPG Kurt Seifried (Oct 10)
- Re: Re: 0xdeadbeef comes of age: making keysteak with GnuPG flapflap (Oct 10)
- Re: 0xdeadbeef comes of age: making keysteak with GnuPG David Leon Gil (Oct 10)
- Re: 0xdeadbeef comes of age: making keysteak with GnuPG Kristian Fiskerstrand (Oct 10)
- Re: 0xdeadbeef comes of age: making keysteak with GnuPG Werner Koch (Oct 10)
- Re: 0xdeadbeef comes of age: making keysteak with GnuPG Daniel Kahn Gillmor (Oct 10)