[Pkg-gnupg-maint] Bug#519333: gnupg: Please include support for encrypted keyserver queries [PATCH]
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Mar 12 17:17:08 UTC 2009
On 03/12/2009 12:33 AM, David Shaw wrote:
> As the author of that patch, let me request that you - please - don't
> adopt it just yet. To be sure, the feature is coming, but the exact
> semantics are not yet set in stone. Adopting the feature before it is
> finished and released ties the hands of those working on it, as it would
> be much harder to make changes to the design.
David, thanks for the quick feedback here (and for authoring the patch
in the first place!) I understand why you wouldn't want your hands tied
for something that may change, and respect that. Can i contribute to
sorting out the target semantics somehow? What part of the semantics
are you concerned may change? As far as i can tell, the user-facing
bits of the change are:
* keyservers providing secured HKP are expected to run TLS-wrapped HKP
by default on port 11372 (the hkp port + 1). of course, running on
alternate ports is not forbidden.
* if a user prefixes their keyserver location with hkps:// , and gpg is
built with with libcurl, gpg will wrap its connections to the keyserver
in TLS (using 11372 by default instead of 11371), and will verify the
remote machine's identity before performing keyserver access.
If it's useful to get feedback from people willing to experiment with
this stuff, here's some from me: this syntax (and the associated
semantics) seem reasonable to me, and they are actually working right
now in real world keyserver communications.
What are the alternatives that you're considering to the above
user-facing changes? I'd be happy to review them (and to experiment
with them, if needed) and give feedback if that would be useful to you.
Besides the above, are there other details that you worry would be
prematurely set in stone by adoption of the patch? The points above
seem to be the only user-visible changes, but of course i could be
missing things.
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20090312/7ee09376/attachment.pgp
More information about the Pkg-gnupg-maint
mailing list