[Pkg-gnupg-maint] Bug#519333: [monkeysphere] Bug#519333: gnupg: Please include support for encrypted keyserver queries [PATCH]
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Mar 11 22:47:56 UTC 2009
The referenced public keyserver running secure (TLS-wrapped) HKP is
actually spelled zimmermann.mayfirst.org, not zimmerman.mayfirst.org
(note the two final "n"s in the name).
It is currently serving HKP-over-TLS (tentatively known as "HKPS")
anchored by an X.509 certificate signed by a private certificate
authority run by the domain owners (mayfirst.org) [0]. If you want to
try the patch, you'll need to download the private CA's certificate [1],
and then connect with the following option in ~/.gnupg/gpg.conf:
keyserver hkps://zimmermann.mayfirst.org
keyserver-options ca-cert-file=/path/to/downloaded/mfpl.crt
Most people's OpenPGP keyrings are not refreshed often enough, and for
some people, this is because they don't like broadcasting the contents
of their keyring in the clear over the network with any frequency.
Out-of-date keyrings are more likely to fail in the face of missing
signatures, and are susceptible to abuse by compromised keys whose
revocation certificates have not been fetched.
Adoption of this patch by debian would facilitate private HKP traffic,
which would in increase the effectiveness of the OpenPGP WoT by
encouraging propagation of new signatures and revocations.
Regards,
--dkg
[0] https://support.mayfirst.org/wiki/mfpl_certificate_authority
[1]
https://support.mayfirst.org/raw-attachment/wiki/mfpl_certificate_authority/mfpl.crt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20090311/18acfc11/attachment.pgp
More information about the Pkg-gnupg-maint
mailing list