[pkg-gnupg-maint] Bug#923482: Bug#923482: dirmngr HKPS fails due to poorly configured certificates on *.pool.sks-keyservers.net

Jim Popovitch jimpop at domainmail.org
Fri Mar 1 23:01:52 GMT 2019


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Fri, 2019-03-01 at 15:24 -0500, Daniel Kahn Gillmor wrote:
+AD4 Hi Jim--
+AD4 
+AD4 On Thu 2019-02-28 14:51:07 -0500, Jim Popovitch wrote:
+AD4 +AD4 When a client uses HKPS keyservers dirmngr fails hard due to TLS
+AD4 +AD4 certificate validation errors:
+AD4 
+AD4 what pool are you using in particular?  it looks to me like you're using
+AD4 +ACI-ha.pool.sks-keyservers.net+ACI
+AD4 
+AD4 However, https://sks-keyservers.net/overview-of-pools.php+ACM-pool+AF8-ha
+AD4 suggests that there is no guarantee that servers in that pool all offer
+AD4 hkps.  If you want hkps, you should use
+AD4 hkps://hkps.pool.sks-keyservers.net (conveniently, that happens to also
+AD4 be the default setting, which means it should be able to work with no
+AD4 keyserver setting in either +AH4-/.gnupg/gpg.conf or +AH4-/.gnupg/dirmngr.conf.


Daniel, The problem (and I know this isn't Debian specific, but it does
affect Debian users of dirmngr) is that the servers in hkps.pool.sks-
keyservers.net exist in Europe, whereas ha.pool and na.pool have greater
access. Ideally, in 2019, the totality of the pool servers should all
have TLS support.  Debian should be spearheading this effort.

- -Jim P.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEECPbAhaBWEfiXj/kxdRlcPb+1fkUFAlx5ueEACgkQdRlcPb+1
fkXVtw//UUGEpK2pSY1YQehvvIX25BLlRkYO8HVw2z4BpuKvg1D08tHBxYDcO6ul
9yfyYfR5qDe0B7dicWsSU0/+qxvMDIJV4dHFz9FalP5yccGTlZnlBqBv19Y1gaYc
R9RuYlMlXJ9YG/yPW0r7LkA/DuzZqH8jMPYeHQrtWVFx6loF7GsF3EYlQnW2Mzwk
zymP0eBCXPS2qFcE1atj05KAawrGuYDA3pLfsRnaGKiV8M44qpXUsj1EfMv2rPGD
pPGTn805kSPrGxRqTqa6u/020f08zg/G2kodkgeLG9L+8BQ9kNiU4TgWeD7Km9GC
Fq/eLB+x7OmeVcMTLkyjstB9MYdNHMtBdtRbWaRcAvQZcPw/w6qLze3zUOm6mPyz
gBSP8ixrhsGhN3XO+WHj4GDOQi0NOkfUl6kU8mTQnSrsQxKHOOVspuDnQXlmH+jk
bfqAN6Kx62oE2ZX7B+7mnKXIts2Fqj8WOcg4XhW+hTJ6SbYhZA8d31XfzVwxWDPj
+AZKkI+StcNgwDGknXSDq8Fb6V+sXASQmrZEzjlsTF3Xg3Tn5RDIuUBgt5EWwNxl
znARzoZ9pW+GqqF7v7xG4QU3Amfr6Brni0A3GG/QMHS6pqHeCwpoz7Yx7GgQ6iT1
yTA+tV4tscV+s77+hRogbldN+1271HEG6GwgcVp/ZIx2qvZz9D4=
=wO+e
-----END PGP SIGNATURE-----



More information about the pkg-gnupg-maint mailing list