[Pkg-gnupg-maint] Bug#519333: gnupg: Please include support for encrypted keyserver queries [PATCH]
Micah Anderson
micah at debian.org
Wed Mar 11 22:11:42 UTC 2009
Package: gnupg
Version: 1.4.9-5
Severity: wishlist
Tags: patch
Hello,
There is a move towards providing keyserver queries over an encrypted
transport for the purposes of stopping the leakage of key query
information that could be used for transactional surveillance
purposes. There are keyservers now in the global pool that are setup
to provide encrypted transport, with more on their way.
The SKS keyserver develoopers are actively discussing how to add TLS
wrapped keyserver queries natively in the keyserver code[0]. Until
then people are setting up front-end SSL proxies, using things like
nginx. In fact, along with some other folks, I am running one which
supports this in the SKS pool[1] zimmerman.mayfirst.org.
The gnupg developers have introduced a patch to the upstream stable
branch of gnupg 1.4[2] which provides a simple mechanism for
performing secure hkps queries to keyservers, and according to the
original author, this will be in gpg2 in the next round of patch
integration[3]. The PGP developers are also implementing this in their
code. Also, the IETF seem to have also come to a similar position
recently[4].
It would be very much appreciated if debian adopted the attached patch
so more people could have convenient access to this feature. When
upstream's STABLE-1.4 branch is released, then it could be simply
dropped. I've built and tested this and it works flawlessly, its a
relatively small patch and upstream has already adopted it, so it
seems like a win all around.
Micah
0. thread starts at: http://lists.gnu.org/archive/html/sks-devel/2009-03/msg00025.html
1. https://zimmerman.mayfirst.org or if you have installed the patch: hkps://zimmerman.mayfirst.org
2. http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/keyserver/gpgkeys_hkp.c?root=GnuPG&rev=4924&r1=4878&r2=4924
3. http://lists.gnu.org/archive/html/sks-devel/2009-03/msg00036.html
4. http://www.imc.org/ietf-openpgp/mail-archive/msg30930.html
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-vserver-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages gnupg depends on:
ii gpgv 1.4.9-4 GNU privacy guard - signature veri
ii libbz2-1.0 1.0.5-1 high-quality block-sorting file co
ii libc6 2.9-4 GNU C Library: Shared libraries
ii libcurl3-gnutls 7.18.2-8 Multi-protocol file transfer libra
ii libreadline5 5.2-4 GNU readline and history libraries
ii libusb-0.1-4 2:0.1.12-13 userspace USB programming library
ii zlib1g 1:1.2.3.3.dfsg-13 compression library - runtime
Versions of packages gnupg recommends:
ii libldap-2.4-2 2.4.15-1 OpenLDAP libraries
Versions of packages gnupg suggests:
pn gnupg-doc <none> (no description available)
ii imagemagick 7:6.3.7.9.dfsg1-3 image manipulation programs
ii libpcsclite1 1.5.2-1 Middleware to access a smart card
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnupg_hks.diff
Type: text/x-diff
Size: 11921 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20090311/0a27cd2d/attachment.diff
More information about the Pkg-gnupg-maint
mailing list