While the sks-keyservers.net domain and many of the old hostnames that powered it are dead & gone, the actual SKS keyserver network does in fact live on, complete with new & improved DOS mitigations and active development of the underlying server software powering it, Hockeypuck. More information can be found @ https://spider.pgpkeys.eu/ & https://github.com/hockeypuck/hockeypuck respectively. Keyserver.ubuntu.com also exists, but has fallen out of sync with the network and to date has been unwilling to reengage. -T
On Jul 22, 2024, at 05:00, nanog-request@nanog.org wrote:
Message: 15 Date: Sun, 21 Jul 2024 20:23:43 -0400 From: Matt Corallo <nanog@as397444.net <mailto:nanog@as397444.net>> To: Randy Bush <randy@psg.com <mailto:randy@psg.com>>, North American Network Operators' Group <nanog@nanog.org <mailto:nanog@nanog.org>> Subject: Re: pgp keyservers Message-ID: <23baf526-4319-49ba-aa6d-af3460ab925d@as397444.net <mailto:23baf526-4319-49ba-aa6d-af3460ab925d@as397444.net>> Content-Type: text/plain; charset=UTF-8; format=flowed
pgp.mit.edu <http://pgp.mit.edu/> has been sporadically available for me over the last while, but yea AFAIU sks-keyservers shut down after the DoS drama, as did most of the old servers in the pool.
I believe keyserver.ubuntu.com <http://keyserver.ubuntu.com/> generally works and doesn't strip all the signatures and whatnot off keys when they upload.
I think the hipster thing to do now, though, is --auto-locate-key with the Web Key Distribution or the DNSSEC Key Distribution mechanism.
Matt
On 7/21/24 7:25 PM, Randy Bush wrote:
are there any old keyservers still working? or only the new hipster ones? i tried three and no love
hkps://pgp.mit.edu <hkps://pgp.mit.edu> hkps://pgp.uni-mainz.de <hkps://pgp.uni-mainz.de> hkps://hkps.pool.sks-keyservers <hkps://hkps.pool.sks-keyservers>
randy
While the sks-keyservers.net domain and many of the old hostnames that powered it are dead & gone, the actual SKS keyserver network does in fact live on, complete with new & improved DOS mitigations and active development of the underlying server software powering it, Hockeypuck. More information can be found @ https://spider.pgpkeys.eu/ & https://github.com/hockeypuck/hockeypuck respectively.
i did a mild descent through the links on that web page. very intentionally wearing my end luser hat, i did not find a simple hkps://entry to put in my `~/.gnupg/gpg.conf`. probably my fault. randy
On Jul 22, 2024, at 09:48, Randy Bush <randy@psg.com> wrote:
i did a mild descent through the links on that web page.
very intentionally wearing my end luser hat, i did not find a simple hkps://entry to put in my `~/.gnupg/gpg.conf`. probably my fault.
randy
That’s a fair point and we’d be open to ideas on how to improve that aspect to make it more accessible to end users, especially the less technically savvy ones. Please feel free to reach out directly either on or off list to discuss further. Currently there is no single hostname like the old SKS network to direct the client towards one of the currently operating peer nodes listed @ https://spider.pgpkeys.eu/sks-peers While that previous architecture that powered the sks-keyservers pools (i.e. dynamic DNS CNAMEs & 3rd-party issued certificates for hkps) served the communities effectively for a number of years it was ultimately too constricting and prevented the network from continuing to operate once the domain/key owner went MIA before finally deciding to pull the plug several years ago. -T
very intentionally wearing my end luser hat, i did not find a simple hkps://entry to put in my `~/.gnupg/gpg.conf`. probably my fault.
That’s a fair point and we’d be open to ideas on how to improve that aspect to make it more accessible to end users, especially the less technically savvy ones. Please feel free to reach out directly either on or off list to discuss further. Currently there is no single hostname like the old SKS network to direct the client towards one of the currently operating peer nodes listed @ https://spider.pgpkeys.eu/sks-peers
yay! i chose randomly, and hkps://pgp.cyberbits.eu worked. thank you! we have been very good at making pgp hard to use. we probably want to not do that so much. randy
participants (2)
-
nanog@fleish.org
-
Randy Bush