[pkg-gnupg-maint] Bug#784286: dirmngr keyserver should default to hkps://hkps.pool.sks-keyservers.net

[Daniel Kahn Gillmor]

Package: dirmngr
Version: 2.1.3-1
Severity: wishlist

We now have a robust hkps keyserver pool, as detailed at
https://sks-keyservers.net.  This provides transport-layer encryption
to the pool of keyserver operators.

This doesn't solve all available problems:

  * It doesn't prevent information leakage to the keyserver operators
    themselves.

  * it doesn't protect users from malicious keyserver operators who
    want to deny updates

 * it doesn't protect users from traffic analysis by the network
   operator (there's no padding in TLS yet)

However, it does mean that by default, keyserver queries aren't
visible in the clear to anyone on the network, and that the traffic
can't be tampered with by anyone on the network path.

We need to think a little bit about how we'll manage the certificate
authority (see "HKPS pool verification" at
https://sks-keyservers.net/verify_tls.php), but i think that is likely
to be manageable.

   --dkg

-- System Information:
Debian Release: 8.0
  APT prefers stable
  APT policy: (500, 'stable'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages dirmngr depends on:
ii  adduser            3.113+nmu3
ii  libassuan0         2.2.0-1
ii  libc6              2.19-18
ii  libgcrypt20        1.6.3-2
ii  libgnutls-deb0-28  3.3.8-6
ii  libgpg-error0      1.19-1
ii  libksba8           1.3.2-1
ii  libldap-2.4-2      2.4.40+dfsg-1
ii  libnpth0           1.0-1
ii  lsb-base           4.1+Debian13+nmu1

dirmngr recommends no packages.

dirmngr suggests no packages.

-- debconf-show failed