[Pkg-gnupg-maint] Bug#519333: gnupg: Please include support for encrypted keyserver queries [PATCH]
David Shaw
dshaw at jabberwocky.com
Thu Mar 12 04:33:41 UTC 2009
On Mar 11, 2009, at 6:11 PM, Micah Anderson <micah at debian.org> wrote:
> Package: gnupg
> Version: 1.4.9-5
> Severity: wishlist
> Tags: patch
>
> Hello,
>
> There is a move towards providing keyserver queries over an encrypted
> transport for the purposes of stopping the leakage of key query
> information that could be used for transactional surveillance
> purposes. There are keyservers now in the global pool that are setup
> to provide encrypted transport, with more on their way.
>
> The SKS keyserver develoopers are actively discussing how to add TLS
> wrapped keyserver queries natively in the keyserver code[0]. Until
> then people are setting up front-end SSL proxies, using things like
> nginx. In fact, along with some other folks, I am running one which
> supports this in the SKS pool[1] zimmerman.mayfirst.org.
>
> The gnupg developers have introduced a patch to the upstream stable
> branch of gnupg 1.4[2] which provides a simple mechanism for
> performing secure hkps queries to keyservers, and according to the
> original author, this will be in gpg2 in the next round of patch
> integration[3]. The PGP developers are also implementing this in their
> code. Also, the IETF seem to have also come to a similar position
> recently[4].
>
> It would be very much appreciated if debian adopted the attached patch
> so more people could have convenient access to this feature. When
> upstream's STABLE-1.4 branch is released, then it could be simply
> dropped. I've built and tested this and it works flawlessly, its a
> relatively small patch and upstream has already adopted it, so it
> seems like a win all around.
As the author of that patch, let me request that you - please - don't
adopt it just yet. To be sure, the feature is coming, but the exact
semantics are not yet set in stone. Adopting the feature before it is
finished and released ties the hands of those working on it, as it
would be much harder to make changes to the design.
David
More information about the Pkg-gnupg-maint
mailing list